Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
steel.exe.2.exe

Overview

General Information

Sample name:steel.exe.2.exe
Analysis ID:1577469
MD5:43869d173a6397de9cf28b79ef8019b2
SHA1:13b9735eddfe589e332adfb4abd089261a13b1d5
SHA256:85a1f3ab935b0d7c803da2d26646b3a50242509fe63041fdee429963256018df
Tags:bulletproofexeSocks5Systemzuser-abus3reports
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Socks5Systemz
AI detected suspicious sample
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • steel.exe.2.exe (PID: 6184 cmdline: "C:\Users\user\Desktop\steel.exe.2.exe" MD5: 43869D173A6397DE9CF28B79EF8019B2)
    • steel.exe.2.tmp (PID: 5692 cmdline: "C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp" /SL5="$203CE,3119679,56832,C:\Users\user\Desktop\steel.exe.2.exe" MD5: ED6A19AD054AD0172201AF725324781B)
      • mediacodecpack.exe (PID: 3444 cmdline: "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -i MD5: B69E5FA299A1F14503BE46E4D762D943)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-P1VKL.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
          00000003.00000002.2612183102.0000000002B13000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
            00000001.00000002.2613496883.0000000005E10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000003.00000000.1365113971.0000000000401000.00000020.00000001.01000000.00000009.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                Process Memory Space: mediacodecpack.exe PID: 3444JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  SourceRuleDescriptionAuthorStrings
                  3.0.mediacodecpack.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T14:02:38.997500+010020287653Unknown Traffic192.168.2.949836188.119.66.185443TCP
                    2024-12-18T14:02:41.447393+010020287653Unknown Traffic192.168.2.949843188.119.66.185443TCP
                    2024-12-18T14:02:43.771409+010020287653Unknown Traffic192.168.2.949849188.119.66.185443TCP
                    2024-12-18T14:02:46.207571+010020287653Unknown Traffic192.168.2.949855188.119.66.185443TCP
                    2024-12-18T14:02:48.820434+010020287653Unknown Traffic192.168.2.949865188.119.66.185443TCP
                    2024-12-18T14:02:51.263898+010020287653Unknown Traffic192.168.2.949871188.119.66.185443TCP
                    2024-12-18T14:02:53.759673+010020287653Unknown Traffic192.168.2.949877188.119.66.185443TCP
                    2024-12-18T14:02:56.369688+010020287653Unknown Traffic192.168.2.949884188.119.66.185443TCP
                    2024-12-18T14:02:58.974799+010020287653Unknown Traffic192.168.2.949890188.119.66.185443TCP
                    2024-12-18T14:03:01.474713+010020287653Unknown Traffic192.168.2.949896188.119.66.185443TCP
                    2024-12-18T14:03:04.385392+010020287653Unknown Traffic192.168.2.949902188.119.66.185443TCP
                    2024-12-18T14:03:07.084542+010020287653Unknown Traffic192.168.2.949912188.119.66.185443TCP
                    2024-12-18T14:03:09.709304+010020287653Unknown Traffic192.168.2.949918188.119.66.185443TCP
                    2024-12-18T14:03:12.248024+010020287653Unknown Traffic192.168.2.949924188.119.66.185443TCP
                    2024-12-18T14:03:14.996406+010020287653Unknown Traffic192.168.2.949931188.119.66.185443TCP
                    2024-12-18T14:03:17.262780+010020287653Unknown Traffic192.168.2.949941188.119.66.185443TCP
                    2024-12-18T14:03:19.614540+010020287653Unknown Traffic192.168.2.949947188.119.66.185443TCP
                    2024-12-18T14:03:21.877527+010020287653Unknown Traffic192.168.2.949953188.119.66.185443TCP
                    2024-12-18T14:03:24.276074+010020287653Unknown Traffic192.168.2.949959188.119.66.185443TCP
                    2024-12-18T14:03:26.827518+010020287653Unknown Traffic192.168.2.949965188.119.66.185443TCP
                    2024-12-18T14:03:29.447269+010020287653Unknown Traffic192.168.2.949971188.119.66.185443TCP
                    2024-12-18T14:03:31.915590+010020287653Unknown Traffic192.168.2.949977188.119.66.185443TCP
                    2024-12-18T14:03:34.501193+010020287653Unknown Traffic192.168.2.949983188.119.66.185443TCP
                    2024-12-18T14:03:36.885022+010020287653Unknown Traffic192.168.2.949989188.119.66.185443TCP
                    2024-12-18T14:03:39.406824+010020287653Unknown Traffic192.168.2.949995188.119.66.185443TCP
                    2024-12-18T14:03:41.956892+010020287653Unknown Traffic192.168.2.949998188.119.66.185443TCP
                    2024-12-18T14:03:44.230138+010020287653Unknown Traffic192.168.2.949999188.119.66.185443TCP
                    2024-12-18T14:03:46.776754+010020287653Unknown Traffic192.168.2.950000188.119.66.185443TCP
                    2024-12-18T14:03:49.109038+010020287653Unknown Traffic192.168.2.950001188.119.66.185443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T14:02:39.668902+010028032742Potentially Bad Traffic192.168.2.949836188.119.66.185443TCP
                    2024-12-18T14:02:42.214092+010028032742Potentially Bad Traffic192.168.2.949843188.119.66.185443TCP
                    2024-12-18T14:02:44.454814+010028032742Potentially Bad Traffic192.168.2.949849188.119.66.185443TCP
                    2024-12-18T14:02:47.071355+010028032742Potentially Bad Traffic192.168.2.949855188.119.66.185443TCP
                    2024-12-18T14:02:49.513241+010028032742Potentially Bad Traffic192.168.2.949865188.119.66.185443TCP
                    2024-12-18T14:02:51.958257+010028032742Potentially Bad Traffic192.168.2.949871188.119.66.185443TCP
                    2024-12-18T14:02:54.687383+010028032742Potentially Bad Traffic192.168.2.949877188.119.66.185443TCP
                    2024-12-18T14:02:57.186156+010028032742Potentially Bad Traffic192.168.2.949884188.119.66.185443TCP
                    2024-12-18T14:02:59.659924+010028032742Potentially Bad Traffic192.168.2.949890188.119.66.185443TCP
                    2024-12-18T14:03:02.323108+010028032742Potentially Bad Traffic192.168.2.949896188.119.66.185443TCP
                    2024-12-18T14:03:05.488565+010028032742Potentially Bad Traffic192.168.2.949902188.119.66.185443TCP
                    2024-12-18T14:03:07.782427+010028032742Potentially Bad Traffic192.168.2.949912188.119.66.185443TCP
                    2024-12-18T14:03:10.408996+010028032742Potentially Bad Traffic192.168.2.949918188.119.66.185443TCP
                    2024-12-18T14:03:12.932853+010028032742Potentially Bad Traffic192.168.2.949924188.119.66.185443TCP
                    2024-12-18T14:03:15.676865+010028032742Potentially Bad Traffic192.168.2.949931188.119.66.185443TCP
                    2024-12-18T14:03:18.014075+010028032742Potentially Bad Traffic192.168.2.949941188.119.66.185443TCP
                    2024-12-18T14:03:20.294663+010028032742Potentially Bad Traffic192.168.2.949947188.119.66.185443TCP
                    2024-12-18T14:03:22.610376+010028032742Potentially Bad Traffic192.168.2.949953188.119.66.185443TCP
                    2024-12-18T14:03:25.061860+010028032742Potentially Bad Traffic192.168.2.949959188.119.66.185443TCP
                    2024-12-18T14:03:27.564892+010028032742Potentially Bad Traffic192.168.2.949965188.119.66.185443TCP
                    2024-12-18T14:03:30.176297+010028032742Potentially Bad Traffic192.168.2.949971188.119.66.185443TCP
                    2024-12-18T14:03:32.767477+010028032742Potentially Bad Traffic192.168.2.949977188.119.66.185443TCP
                    2024-12-18T14:03:35.311060+010028032742Potentially Bad Traffic192.168.2.949983188.119.66.185443TCP
                    2024-12-18T14:03:37.589407+010028032742Potentially Bad Traffic192.168.2.949989188.119.66.185443TCP
                    2024-12-18T14:03:40.179824+010028032742Potentially Bad Traffic192.168.2.949995188.119.66.185443TCP
                    2024-12-18T14:03:42.637303+010028032742Potentially Bad Traffic192.168.2.949998188.119.66.185443TCP
                    2024-12-18T14:03:44.930555+010028032742Potentially Bad Traffic192.168.2.949999188.119.66.185443TCP
                    2024-12-18T14:03:47.452673+010028032742Potentially Bad Traffic192.168.2.950000188.119.66.185443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd325Avira URL Cloud: Label: malware
                    Source: steel.exe.2.exeReversingLabs: Detection: 15%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                    Source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045D188
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0045D254 ArcFourCrypt,1_2_0045D254
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0045D23C ArcFourCrypt,1_2_0045D23C
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                    Compliance

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeUnpacked PE file: 3.2.mediacodecpack.exe.400000.0.unpack
                    Source: steel.exe.2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaCodecPack_is1Jump to behavior
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.9:49836 version: TLS 1.2
                    Source: Binary string: msvcp71.pdbx# source: is-25OUI.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-KTOB6.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-25OUI.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-HRNSK.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-KTOB6.tmp.1.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: Joe Sandbox ViewIP Address: 188.119.66.185 188.119.66.185
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49836 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49865 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49871 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49890 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49884 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49843 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49912 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49902 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49918 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49849 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49877 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49941 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49959 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49931 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49953 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49971 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49977 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49983 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49989 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49999 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49998 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:50001 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49924 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49855 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49995 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49965 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49896 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:50000 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49947 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49836 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49865 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49855 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49877 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49884 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49918 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49890 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49924 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49871 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49971 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49983 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49999 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49998 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49843 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49902 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49989 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49896 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49849 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:50000 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49931 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49995 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49912 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49941 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49947 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49959 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49953 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49965 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49977 -> 188.119.66.185:443
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BB2B95 WSASetLastError,WSARecv,WSASetLastError,select,3_2_02BB2B95
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: steel.exe.2.tmp, 00000001.00000002.2613496883.0000000005EDC000.00000004.00001000.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000000.1365288595.00000000004D2000.00000002.00000001.01000000.00000009.sdmp, MediaCodecPack.exe.3.dr, mediacodecpack.exe.1.dr, is-P1VKL.tmp.1.drString found in binary or memory: http://wonderwork.ucoz.com/
                    Source: steel.exe.2.tmp, steel.exe.2.tmp, 00000001.00000000.1351230797.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-JGC1S.tmp.1.dr, steel.exe.2.tmp.0.drString found in binary or memory: http://www.innosetup.com/
                    Source: steel.exe.2.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                    Source: steel.exe.2.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                    Source: steel.exe.2.exe, 00000000.00000003.1350779347.0000000002088000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.exe, 00000000.00000003.1350617622.0000000002340000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.tmp, steel.exe.2.tmp, 00000001.00000000.1351230797.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-JGC1S.tmp.1.dr, steel.exe.2.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: steel.exe.2.exe, 00000000.00000003.1350779347.0000000002088000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.exe, 00000000.00000003.1350617622.0000000002340000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.tmp, 00000001.00000000.1351230797.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-JGC1S.tmp.1.dr, steel.exe.2.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/#
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/$
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/2
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/405117-2476756634-1003=
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/C
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/L
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/M
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/V
                    Source: mediacodecpack.exe, 00000003.00000002.2610701101.0000000000812000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/Y
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/Z
                    Source: mediacodecpack.exe, 00000003.00000003.2557428878.0000000003390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd325
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/en-GB
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/en-US
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/l
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ography
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/p
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/p&
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/priseCertificates
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/~
                    Source: steel.exe.2.exe, 00000000.00000003.1350218072.0000000002340000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.exe, 00000000.00000002.2610789414.0000000002081000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.exe, 00000000.00000003.1350289760.0000000002081000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.tmp, 00000001.00000003.1353022216.0000000002148000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.tmp, 00000001.00000002.2611128350.0000000000588000.00000004.00000020.00020000.00000000.sdmp, steel.exe.2.tmp, 00000001.00000003.1352924868.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.tmp, 00000001.00000002.2611715292.0000000002148000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49965 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49965
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49884
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49953 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49959
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49912
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49953
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49959 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.9:49836 version: TLS 1.2
                    Source: is-HRNSK.tmp.1.drBinary or memory string: DirectDrawCreateExmemstr_df94f93a-9
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0042F520 NtdllDefWindowProc_A,1_2_0042F520
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00423B84 NtdllDefWindowProc_A,1_2_00423B84
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004125D8 NtdllDefWindowProc_A,1_2_004125D8
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00478AC0 NtdllDefWindowProc_A,1_2_00478AC0
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00457594
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E934
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_0040840C0_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004706A81_2_004706A8
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004809F71_2_004809F7
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004352C81_2_004352C8
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004673A41_2_004673A4
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0043DD501_2_0043DD50
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0043035C1_2_0043035C
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004444C81_2_004444C8
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004345C41_2_004345C4
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00444A701_2_00444A70
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00486BD01_2_00486BD0
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00430EE81_2_00430EE8
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0045F0C41_2_0045F0C4
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004451681_2_00445168
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0045B1741_2_0045B174
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004694041_2_00469404
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004455741_2_00445574
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004519BC1_2_004519BC
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00487B301_2_00487B30
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0048DF541_2_0048DF54
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_004010003_2_00401000
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_004067B73_2_004067B7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609660FA3_2_609660FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6092114F3_2_6092114F
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6091F2C93_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096923E3_2_6096923E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6093323D3_2_6093323D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095C3143_2_6095C314
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609503123_2_60950312
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094D33B3_2_6094D33B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6093B3683_2_6093B368
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096748C3_2_6096748C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6093F42E3_2_6093F42E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609544703_2_60954470
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609615FA3_2_609615FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096A5EE3_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096D6A43_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609606A83_2_609606A8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609326543_2_60932654
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609556653_2_60955665
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B7DB3_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6092F74D3_2_6092F74D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609648073_2_60964807
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094E9BC3_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609379293_2_60937929
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6093FAD63_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096DAE83_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094DA3A3_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60936B273_2_60936B27
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60954CF63_2_60954CF6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60950C6B3_2_60950C6B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60966DF13_2_60966DF1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60963D353_2_60963D35
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60909E9C3_2_60909E9C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60951E863_2_60951E86
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60912E0B3_2_60912E0B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60954FF83_2_60954FF8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BD2A803_2_02BD2A80
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BCBAFD3_2_02BCBAFD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BCD32F3_2_02BCD32F
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BC70C03_2_02BC70C0
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BBE07E3_2_02BBE07E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BCB6093_2_02BCB609
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BD267D3_2_02BD267D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BCBF153_2_02BCBF15
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BC874A3_2_02BC874A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BD0DB43_2_02BD0DB4
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\MediaCodecPack\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: String function: 02BC7760 appears 32 times
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: String function: 02BD2A10 appears 135 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 00408C0C appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 00406AC4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 0040595C appears 117 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 00457F1C appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 00403400 appears 60 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 00445DD4 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 00457D10 appears 96 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 004344DC appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 004078F4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 00403494 appears 83 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 00403684 appears 225 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 00453344 appears 97 times
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: String function: 004460A4 appears 59 times
                    Source: steel.exe.2.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: steel.exe.2.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: steel.exe.2.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-JGC1S.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-JGC1S.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-JGC1S.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: sqlite3.dll.3.drStatic PE information: Number of sections : 19 > 10
                    Source: is-UHNJ4.tmp.1.drStatic PE information: Number of sections : 19 > 10
                    Source: steel.exe.2.exe, 00000000.00000003.1350779347.0000000002088000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs steel.exe.2.exe
                    Source: steel.exe.2.exe, 00000000.00000003.1350617622.0000000002340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs steel.exe.2.exe
                    Source: steel.exe.2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@5/26@0/1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BBF8D0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,3_2_02BBF8D0
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455E0C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00401CF9
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0046E0E4 GetVersion,CoCreateInstance,1_2_0046E0E4
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409C34
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_00401951 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00401951
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_00401951 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00401951
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_0040DEE9 StartServiceCtrlDispatcherA,3_2_0040DEE9
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                    Source: C:\Users\user\Desktop\steel.exe.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-86CS2.tmpJump to behavior
                    Source: Yara matchFile source: 3.0.mediacodecpack.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2613496883.0000000005E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.1365113971.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-P1VKL.tmp, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exe, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\steel.exe.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: mediacodecpack.exe, mediacodecpack.exe, 00000003.00000003.1672922811.000000000074C000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-UHNJ4.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: mediacodecpack.exe, 00000003.00000003.1672922811.000000000074C000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-UHNJ4.tmp.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: mediacodecpack.exe, mediacodecpack.exe, 00000003.00000003.1672922811.000000000074C000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-UHNJ4.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: mediacodecpack.exe, 00000003.00000003.1672922811.000000000074C000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-UHNJ4.tmp.1.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: mediacodecpack.exe, 00000003.00000003.1672922811.000000000074C000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-UHNJ4.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: mediacodecpack.exe, 00000003.00000003.1672922811.000000000074C000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-UHNJ4.tmp.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: mediacodecpack.exe, 00000003.00000003.1672922811.000000000074C000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-UHNJ4.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: mediacodecpack.exe, 00000003.00000003.1672922811.000000000074C000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-UHNJ4.tmp.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: mediacodecpack.exe, 00000003.00000003.1672922811.000000000074C000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-UHNJ4.tmp.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: mediacodecpack.exe, 00000003.00000003.1672922811.000000000074C000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-UHNJ4.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: mediacodecpack.exe, 00000003.00000003.1672922811.000000000074C000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-UHNJ4.tmp.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: mediacodecpack.exe, mediacodecpack.exe, 00000003.00000003.1672922811.000000000074C000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-UHNJ4.tmp.1.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: steel.exe.2.exeReversingLabs: Detection: 15%
                    Source: steel.exe.2.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                    Source: steel.exe.2.exeString found in binary or memory: /LOADINF="filename"
                    Source: C:\Users\user\Desktop\steel.exe.2.exeFile read: C:\Users\user\Desktop\steel.exe.2.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\steel.exe.2.exe "C:\Users\user\Desktop\steel.exe.2.exe"
                    Source: C:\Users\user\Desktop\steel.exe.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp "C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp" /SL5="$203CE,3119679,56832,C:\Users\user\Desktop\steel.exe.2.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpProcess created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -i
                    Source: C:\Users\user\Desktop\steel.exe.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp "C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp" /SL5="$203CE,3119679,56832,C:\Users\user\Desktop\steel.exe.2.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpProcess created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -iJump to behavior
                    Source: C:\Users\user\Desktop\steel.exe.2.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\steel.exe.2.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaCodecPack_is1Jump to behavior
                    Source: steel.exe.2.exeStatic file information: File size 3368652 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-25OUI.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-KTOB6.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-25OUI.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-HRNSK.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-KTOB6.tmp.1.dr

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeUnpacked PE file: 3.2.mediacodecpack.exe.400000.0.unpack .aitt4:ER;.ajtt4:R;.aktt4:W;.rsrc:R;.altt4:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeUnpacked PE file: 3.2.mediacodecpack.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .aitt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .aitt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .ajtt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .aktt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .altt4
                    Source: is-HRNSK.tmp.1.drStatic PE information: section name: Shared
                    Source: is-UHNJ4.tmp.1.drStatic PE information: section name: /4
                    Source: is-UHNJ4.tmp.1.drStatic PE information: section name: /19
                    Source: is-UHNJ4.tmp.1.drStatic PE information: section name: /35
                    Source: is-UHNJ4.tmp.1.drStatic PE information: section name: /51
                    Source: is-UHNJ4.tmp.1.drStatic PE information: section name: /63
                    Source: is-UHNJ4.tmp.1.drStatic PE information: section name: /77
                    Source: is-UHNJ4.tmp.1.drStatic PE information: section name: /89
                    Source: is-UHNJ4.tmp.1.drStatic PE information: section name: /102
                    Source: is-UHNJ4.tmp.1.drStatic PE information: section name: /113
                    Source: is-UHNJ4.tmp.1.drStatic PE information: section name: /124
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .aitt4
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .ajtt4
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .aktt4
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .altt4
                    Source: sqlite3.dll.3.drStatic PE information: section name: /4
                    Source: sqlite3.dll.3.drStatic PE information: section name: /19
                    Source: sqlite3.dll.3.drStatic PE information: section name: /35
                    Source: sqlite3.dll.3.drStatic PE information: section name: /51
                    Source: sqlite3.dll.3.drStatic PE information: section name: /63
                    Source: sqlite3.dll.3.drStatic PE information: section name: /77
                    Source: sqlite3.dll.3.drStatic PE information: section name: /89
                    Source: sqlite3.dll.3.drStatic PE information: section name: /102
                    Source: sqlite3.dll.3.drStatic PE information: section name: /113
                    Source: sqlite3.dll.3.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0040994C push 00409989h; ret 1_2_00409981
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00483F88 push 00484096h; ret 1_2_0048408E
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx1_2_004104E5
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx1_2_00494CB1
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx1_2_0040CE3A
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004592D0 push 00459314h; ret 1_2_0045930C
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx1_2_0040F39A
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx1_2_00443444
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx1_2_0048567D
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004517F8 push 0045182Bh; ret 1_2_00451823
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004519BC push ecx; mov dword ptr [esp], eax1_2_004519C1
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx1_2_00477B09
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx1_2_00419C2D
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx1_2_0045FD20
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00499D30 pushad ; retf 1_2_00499D3F
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .aitt4 entropy: 7.742547415203049
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .aitt4 entropy: 7.742547415203049

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02BBE8A7
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-NAAF0.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-25OUI.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I5CUJ.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I5CUJ.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJump to dropped file
                    Source: C:\Users\user\Desktop\steel.exe.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-KTOB6.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-HRNSK.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I5CUJ.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\is-JGC1S.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-UHNJ4.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\sqlite3.dllJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02BBE8A7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_00401951 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00401951
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,1_2_004241DC
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00424194 IsIconic,SetActiveWindow,1_2_00424194
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418384
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042285C
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00417598 IsIconic,GetCapture,1_2_00417598
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0048393C
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00417CCE IsIconic,SetWindowPos,1_2_00417CCE
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CD0
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F118
                    Source: C:\Users\user\Desktop\steel.exe.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeRDTSC instruction interceptor: First address: 40D6C2 second address: 40D6C2 instructions: 0x00000000 rdtsc 0x00000002 sal si, FFF1h 0x00000006 mov eax, dword ptr [ebp-0Ch] 0x00000009 mov edx, dword ptr [ebp-30h] 0x0000000c rcr esi, FFFFFFD5h 0x0000000f movzx esi, bx 0x00000012 add edx, dword ptr [eax+0Ch] 0x00000015 lahf 0x00000016 cwde 0x00000017 mov eax, dword ptr [ebp-18h] 0x0000001a mov si, cx 0x0000001d movsx esi, si 0x00000020 mov esi, dword ptr [ebp-18h] 0x00000023 mov cl, byte ptr [ecx+esi] 0x00000026 jmp 00007FC2BCFC3539h 0x0000002b mov byte ptr [edx+eax], cl 0x0000002e jmp 00007FC2BCFDA6DCh 0x00000033 mov eax, dword ptr [ebp-18h] 0x00000036 jmp 00007FC2BCFC222Ch 0x0000003b inc eax 0x0000003c ror cl, 0000007Bh 0x0000003f btc ecx, FFFFFF83h 0x00000043 mov dword ptr [ebp-18h], eax 0x00000046 jmp 00007FC2BCFDAD20h 0x0000004b mov eax, dword ptr [ebp-28h] 0x0000004e cmp ebp, eax 0x00000050 or ch, cl 0x00000052 mov ecx, dword ptr [ebp-18h] 0x00000055 cmp di, 6D14h 0x0000005a cmp ecx, dword ptr [eax+10h] 0x0000005d jnc 00007FC2BCFC2653h 0x00000063 mov eax, dword ptr [ebp-28h] 0x00000066 jmp 00007FC2BCFCE504h 0x0000006b mov ecx, dword ptr [ebp-1Ch] 0x0000006e add si, di 0x00000071 add ecx, dword ptr [eax+14h] 0x00000074 rdtsc
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_0040D6B9 rdtsc 3_2_0040D6B9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_02BBE9AB
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeWindow / User API: threadDelayed 3964Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeWindow / User API: threadDelayed 5947Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-NAAF0.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-25OUI.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I5CUJ.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I5CUJ.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-KTOB6.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-HRNSK.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\is-JGC1S.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I5CUJ.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-UHNJ4.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\steel.exe.2.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5966
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_3-61148
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeAPI coverage: 3.0 %
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 4792Thread sleep count: 3964 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 4792Thread sleep time: -7928000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 1992Thread sleep time: -1260000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 4792Thread sleep count: 5947 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 4792Thread sleep time: -11894000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B78
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeThread delayed: delay time: 60000Jump to behavior
                    Source: mediacodecpack.exe, 00000003.00000002.2610701101.0000000000738000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWhe1
                    Source: mediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\steel.exe.2.exeAPI call chain: ExitProcess graph end nodegraph_0-6763
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeAPI call chain: ExitProcess graph end nodegraph_3-60748
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_3-61044
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_0040D6B9 rdtsc 3_2_0040D6B9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BC3A08 _memset,IsDebuggerPresent,3_2_02BC3A08
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BCE6BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02BCE6BE
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BB5E5E RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,3_2_02BB5E5E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BC80E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_02BC80E8
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00478504
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E09C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02BBE85F cpuid 3_2_02BBE85F
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: GetLocaleInfoA,0_2_0040520C
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: GetLocaleInfoA,0_2_00405258
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: GetLocaleInfoA,1_2_00408568
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: GetLocaleInfoA,1_2_004085B4
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004585C8
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmpCode function: 1_2_0045559C GetUserNameA,1_2_0045559C
                    Source: C:\Users\user\Desktop\steel.exe.2.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2612183102.0000000002B13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mediacodecpack.exe PID: 3444, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2612183102.0000000002B13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mediacodecpack.exe PID: 3444, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,3_2_609660FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,3_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,3_2_60963143
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,3_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,3_2_6096923E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,3_2_6096A38C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,3_2_6096748C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,3_2_609254B1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,3_2_6094B407
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090F435 sqlite3_bind_parameter_index,3_2_6090F435
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,3_2_609255D4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609255FF sqlite3_bind_text,3_2_609255FF
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,3_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,3_2_6094B54C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,3_2_60925686
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,3_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,3_2_609256E5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,3_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6092562A sqlite3_bind_blob,3_2_6092562A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,3_2_60925655
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,3_2_6094C64A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,3_2_609687A7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,3_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,3_2_6092570B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095F772
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,3_2_60925778
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090577D sqlite3_bind_parameter_name,3_2_6090577D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,3_2_6094B764
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090576B sqlite3_bind_parameter_count,3_2_6090576B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,3_2_6094A894
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095F883
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,3_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,3_2_6096281E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,3_2_6096583A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,3_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6094A92B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090EAE5 sqlite3_transfer_bindings,3_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,3_2_6095FB98
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,3_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,3_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,3_2_60966DF1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,3_2_60969D75
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,3_2_6095FFB2
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                    Native API
                    1
                    DLL Side-Loading
                    1
                    Exploitation for Privilege Escalation
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    2
                    Ingress Tool Transfer
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter
                    5
                    Windows Service
                    1
                    DLL Side-Loading
                    3
                    Obfuscated Files or Information
                    LSASS Memory1
                    Account Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    21
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution
                    1
                    Bootkit
                    1
                    Access Token Manipulation
                    21
                    Software Packing
                    Security Account Manager2
                    File and Directory Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service
                    1
                    DLL Side-Loading
                    NTDS135
                    System Information Discovery
                    Distributed Component Object ModelInput Capture12
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                    Process Injection
                    1
                    Masquerading
                    LSA Secrets251
                    Security Software Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                    Virtualization/Sandbox Evasion
                    Cached Domain Credentials1
                    Process Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation
                    DCSync121
                    Virtualization/Sandbox Evasion
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Process Injection
                    Proc Filesystem11
                    Application Window Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit
                    /etc/passwd and /etc/shadow3
                    System Owner/User Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery
                    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    steel.exe.2.exe16%ReversingLabsWin32.Trojan.Munp
                    SourceDetectionScannerLabelLink
                    C:\ProgramData\MediaCodecPack\MediaCodecPack.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe100%Joe Sandbox ML
                    C:\ProgramData\MediaCodecPack\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-25OUI.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-HRNSK.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-KTOB6.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-NAAF0.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-UHNJ4.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\sqlite3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-I5CUJ.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-I5CUJ.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-I5CUJ.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    https://188.119.66.185/Z0%Avira URL Cloudsafe
                    https://188.119.66.185/Y0%Avira URL Cloudsafe
                    https://188.119.66.185/#0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688100%Avira URL Cloudmalware
                    https://188.119.66.185/l0%Avira URL Cloudsafe
                    https://188.119.66.185/20%Avira URL Cloudsafe
                    https://188.119.66.185/V0%Avira URL Cloudsafe
                    https://188.119.66.185/p0%Avira URL Cloudsafe
                    https://188.119.66.185/$0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd325100%Avira URL Cloudmalware
                    https://188.119.66.185/C0%Avira URL Cloudsafe
                    https://188.119.66.185/M0%Avira URL Cloudsafe
                    https://188.119.66.185/405117-2476756634-1003=0%Avira URL Cloudsafe
                    https://188.119.66.185/~0%Avira URL Cloudsafe
                    https://188.119.66.185/p&0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s-part-0035.t-0009.t-msedge.net
                    13.107.246.63
                    truefalse
                      high
                      NameMaliciousAntivirus DetectionReputation
                      https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688false
                      • Avira URL Cloud: malware
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.innosetup.com/steel.exe.2.tmp, steel.exe.2.tmp, 00000001.00000000.1351230797.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-JGC1S.tmp.1.dr, steel.exe.2.tmp.0.drfalse
                        high
                        https://188.119.66.185/ographymediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUsteel.exe.2.exefalse
                            high
                            https://188.119.66.185/Zmediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/Ymediacodecpack.exe, 00000003.00000002.2610701101.0000000000812000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://188.119.66.185/mediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://188.119.66.185/Vmediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinesteel.exe.2.exefalse
                                high
                                https://188.119.66.185/$mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://188.119.66.185/#mediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://188.119.66.185/ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd325mediacodecpack.exe, 00000003.00000003.2557428878.0000000003390000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                unknown
                                https://188.119.66.185/lmediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://188.119.66.185/2mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.remobjects.com/psUsteel.exe.2.exe, 00000000.00000003.1350779347.0000000002088000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.exe, 00000000.00000003.1350617622.0000000002340000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.tmp, 00000001.00000000.1351230797.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-JGC1S.tmp.1.dr, steel.exe.2.tmp.0.drfalse
                                  high
                                  https://188.119.66.185/pmediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://188.119.66.185/priseCertificatesmediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    https://188.119.66.185/en-USmediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      https://188.119.66.185/en-GBmediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        http://wonderwork.ucoz.com/steel.exe.2.tmp, 00000001.00000002.2613496883.0000000005EDC000.00000004.00001000.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000000.1365288595.00000000004D2000.00000002.00000001.01000000.00000009.sdmp, MediaCodecPack.exe.3.dr, mediacodecpack.exe.1.dr, is-P1VKL.tmp.1.drfalse
                                          high
                                          https://188.119.66.185/Cmediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://188.119.66.185/405117-2476756634-1003=mediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://188.119.66.185/p&mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.remobjects.com/pssteel.exe.2.exe, 00000000.00000003.1350779347.0000000002088000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.exe, 00000000.00000003.1350617622.0000000002340000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.tmp, steel.exe.2.tmp, 00000001.00000000.1351230797.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-JGC1S.tmp.1.dr, steel.exe.2.tmp.0.drfalse
                                            high
                                            https://www.easycutstudio.com/support.htmlsteel.exe.2.exe, 00000000.00000003.1350218072.0000000002340000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.exe, 00000000.00000002.2610789414.0000000002081000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.exe, 00000000.00000003.1350289760.0000000002081000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.tmp, 00000001.00000003.1353022216.0000000002148000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.tmp, 00000001.00000002.2611128350.0000000000588000.00000004.00000020.00020000.00000000.sdmp, steel.exe.2.tmp, 00000001.00000003.1352924868.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, steel.exe.2.tmp, 00000001.00000002.2611715292.0000000002148000.00000004.00001000.00020000.00000000.sdmpfalse
                                              high
                                              https://188.119.66.185/~mediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://188.119.66.185/Mmediacodecpack.exe, 00000003.00000002.2613746407.0000000003310000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://188.119.66.185/Lmediacodecpack.exe, 00000003.00000002.2613746407.0000000003327000.00000004.00000020.00020000.00000000.sdmpfalse
                                                unknown
                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs
                                                IPDomainCountryFlagASNASN NameMalicious
                                                188.119.66.185
                                                unknownRussian Federation
                                                209499FLYNETRUfalse
                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1577469
                                                Start date and time:2024-12-18 14:00:49 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 6m 11s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:9
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:steel.exe.2.exe
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@5/26@0/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 91%
                                                • Number of executed functions: 176
                                                • Number of non-executed functions: 317
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • VT rate limit hit for: steel.exe.2.exe
                                                TimeTypeDescription
                                                08:02:17API Interceptor412990x Sleep call for process: mediacodecpack.exe modified
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                188.119.66.185stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                  basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                    list.exeGet hashmaliciousSocks5SystemzBrowse
                                                      newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                        stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                          steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                            newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                              steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    s-part-0035.t-0009.t-msedge.netsteel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 13.107.246.63
                                                                    newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 13.107.246.63
                                                                    IW9QNpidAN.exeGet hashmaliciousUnknownBrowse
                                                                    • 13.107.246.63
                                                                    T2dvU8f2xg.exeGet hashmaliciousUnknownBrowse
                                                                    • 13.107.246.63
                                                                    IW9QNpidAN.exeGet hashmaliciousUnknownBrowse
                                                                    • 13.107.246.63
                                                                    cred.dllGet hashmaliciousAmadeyBrowse
                                                                    • 13.107.246.63
                                                                    v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 13.107.246.63
                                                                    Setup2.exeGet hashmaliciousCryptbotBrowse
                                                                    • 13.107.246.63
                                                                    clcs.exeGet hashmaliciousCryptbotBrowse
                                                                    • 13.107.246.63
                                                                    2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                    • 13.107.246.63
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    FLYNETRUstories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    list.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    51c64c77e60f3980eea90869b68c58a8stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    list.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    cd#U9988.exeGet hashmaliciousUnknownBrowse
                                                                    • 188.119.66.185
                                                                    Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    • 188.119.66.185
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    C:\ProgramData\MediaCodecPack\sqlite3.dllstories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        list.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                  steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                    AbC0LBkVhr.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3193560
                                                                                        Entropy (8bit):6.381871278623358
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:j5JAG9AhYGBXXrBM9SlP33YE5yz15qRDyenqP:j5GGEBHrBM9EP33YEU15qRDyen
                                                                                        MD5:B69E5FA299A1F14503BE46E4D762D943
                                                                                        SHA1:96004C129789A1C2F12B6DDDA7C1A146DF63C63B
                                                                                        SHA-256:0F7A37620627B454535B3E0A483E21392904A429073F64E3E9501FCFB0D8F30C
                                                                                        SHA-512:0938705FD310A12597B74971F0ADACBAC5520FC68C11AE54A1B39DA271BE1A6A902D3D375A3CAB7163DDB8E32806DCAD6928365FC400F0B37B6AC14DCFC6023F
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exe, Author: Joe Security
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Reputation:low
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...z.bg.................j...D.......#............@...........................1.....0)1.....................................4........ .................................................................................\............................aitt4...h.......j.................. ..`.ajtt4...-...........n..............@..@.aktt4...d.......0..................@....rsrc........ ......................@..@.altt4...@.......>...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):645592
                                                                                        Entropy (8bit):6.50414583238337
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: stories.exe.2.exe, Detection: malicious, Browse
                                                                                        • Filename: basx.exe, Detection: malicious, Browse
                                                                                        • Filename: list.exe, Detection: malicious, Browse
                                                                                        • Filename: newwork.exe.1.exe, Detection: malicious, Browse
                                                                                        • Filename: stail.exe.3.exe, Detection: malicious, Browse
                                                                                        • Filename: steel.exe.3.exe, Detection: malicious, Browse
                                                                                        • Filename: newwork.exe.1.exe, Detection: malicious, Browse
                                                                                        • Filename: steel.exe.3.exe, Detection: malicious, Browse
                                                                                        • Filename: AbC0LBkVhr.exe, Detection: malicious, Browse
                                                                                        • Filename: Oz2UhFBTHy.exe, Detection: malicious, Browse
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                        Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        File Type:ISO-8859 text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8
                                                                                        Entropy (8bit):2.0
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:EHClt:EHCX
                                                                                        MD5:8F00B50BDB64C58B3236DDFD35DAC0E6
                                                                                        SHA1:D5BE039F5195EF1B502F9783F7D270FE974D951D
                                                                                        SHA-256:0EA9C03F4E6970B3413734FCCE529D90F25C53E947D764B6DE9B647EC4D25EAF
                                                                                        SHA-512:7F199E0F2CFCFCE41CC2EA2836458C37C239009BD6887D0D8FB76AC410E12E49B56F0EAF2B5D21F2359A1936A3FF75126F939F1B54A6C706E10CAE365F290934
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:..bg....
                                                                                        Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):4
                                                                                        Entropy (8bit):0.8112781244591328
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:z:z
                                                                                        MD5:2D56A7DEA4F80C5B80C271D405670D97
                                                                                        SHA1:A69F09257D9CD8F5EDD9A87B728AB3D75D4352C4
                                                                                        SHA-256:B01099398CE27BBCB7ED256854ACC338BA75AF739E9D73D741DCB13DC4CBFB56
                                                                                        SHA-512:216D2040762FF21C79A8BCDC5FC003575E635EBBAD90053F75099F7389C7AF1B27AE04BE85567459C88E20B4E517C27A28841F595982879D83F86AFA09E8F67F
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:....
                                                                                        Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):128
                                                                                        Entropy (8bit):2.9012093522336393
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ObXXXd0AbDBdUBWetxt:Or9Lb3UFx
                                                                                        MD5:679DD163372163CD8FFC24E3C9E758B3
                                                                                        SHA1:F307C14CA65810C8D0238B89B49B2ACD7C5B233B
                                                                                        SHA-256:510EA89D00FA427C33BD67AEEA60D21066976F085959C2AFE1F69411A8CA722D
                                                                                        SHA-512:46C464F15BCE39E28DCD48AF36C424845631D2B48D7E37D7FBBBEE0BC4DF32445A2810E397BF29FCA76C0364B1AA30CC05DCF4D9E799C6C697B49A174560969C
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview:12b48997735ce8b4537cf99be74bb62f518d3799011c89eb7c719048e83fac56................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1645320
                                                                                        Entropy (8bit):6.787752063353702
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                                        MD5:871C903A90C45CA08A9D42803916C3F7
                                                                                        SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                                        SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                                        SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                                        Malicious:false
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):499712
                                                                                        Entropy (8bit):6.414789978441117
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                        MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                        SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                        SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                        SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                        Malicious:false
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1645320
                                                                                        Entropy (8bit):6.787752063353702
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                                        MD5:871C903A90C45CA08A9D42803916C3F7
                                                                                        SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                                        SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                                        SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                                        Malicious:false
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):348160
                                                                                        Entropy (8bit):6.542655141037356
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                        MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                        SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                        SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                        SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                        Malicious:false
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):176128
                                                                                        Entropy (8bit):6.204917493416147
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                                        MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                                        SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                                        SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                                        SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):3193560
                                                                                        Entropy (8bit):6.381870843097575
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:U5JAG9AhYGBXXrBM9SlP33YE5yz15qRDyenqP:U5GGEBHrBM9EP33YEU15qRDyen
                                                                                        MD5:BDEDEF7CCED2BC4CF057B6B12D85BD96
                                                                                        SHA1:B66DA25D9B771E64F9D1568F4FB39431A1E597E3
                                                                                        SHA-256:DD58389A88D0D8495C08ADD4D47F091003CBEF68734A2A82D7E4449EE22F508B
                                                                                        SHA-512:0F44374163C7914B3FCBD9D9DE4EE0455E844C2080DBC680A8FEE1936A923E89AEF04E0C18C3CFBC3ADB1236F8A2390D5412593255DBB5F6DB6FE5B80C8CBB54
                                                                                        Malicious:false
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-P1VKL.tmp, Author: Joe Security
                                                                                        Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...z.bg.................j...D.......#............@...........................1.....0)1.....................................4........ .................................................................................\............................aitt4...h.......j.................. ..`.ajtt4...-...........n..............@..@.aktt4...d.......0..................@....rsrc........ ......................@..@.altt4...@.......>...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:MS Windows HtmlHelp Data
                                                                                        Category:dropped
                                                                                        Size (bytes):78183
                                                                                        Entropy (8bit):7.692742945771669
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                                        MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                                        SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                                        SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                                        SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                                        Malicious:false
                                                                                        Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):645592
                                                                                        Entropy (8bit):6.50414583238337
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:MS Windows HtmlHelp Data
                                                                                        Category:dropped
                                                                                        Size (bytes):78183
                                                                                        Entropy (8bit):7.692742945771669
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                                        MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                                        SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                                        SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                                        SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                                        Malicious:false
                                                                                        Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):176128
                                                                                        Entropy (8bit):6.204917493416147
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                                        MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                                        SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                                        SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                                        SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:modified
                                                                                        Size (bytes):3193560
                                                                                        Entropy (8bit):6.381871278623358
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:j5JAG9AhYGBXXrBM9SlP33YE5yz15qRDyenqP:j5GGEBHrBM9EP33YEU15qRDyen
                                                                                        MD5:B69E5FA299A1F14503BE46E4D762D943
                                                                                        SHA1:96004C129789A1C2F12B6DDDA7C1A146DF63C63B
                                                                                        SHA-256:0F7A37620627B454535B3E0A483E21392904A429073F64E3E9501FCFB0D8F30C
                                                                                        SHA-512:0938705FD310A12597B74971F0ADACBAC5520FC68C11AE54A1B39DA271BE1A6A902D3D375A3CAB7163DDB8E32806DCAD6928365FC400F0B37B6AC14DCFC6023F
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, Author: Joe Security
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...z.bg.................j...D.......#............@...........................1.....0)1.....................................4........ .................................................................................\............................aitt4...h.......j.................. ..`.ajtt4...-...........n..............@..@.aktt4...d.......0..................@....rsrc........ ......................@..@.altt4...@.......>...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):499712
                                                                                        Entropy (8bit):6.414789978441117
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                        MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                        SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                        SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                        SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                        Malicious:false
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):348160
                                                                                        Entropy (8bit):6.542655141037356
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                        MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                        SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                        SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                        SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                        Malicious:false
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):645592
                                                                                        Entropy (8bit):6.50414583238337
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):717985
                                                                                        Entropy (8bit):6.51490177808013
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:FTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+AIq5MRxyFw:NPcYn5c/rPx37/zHBA6pFptZ1CENqMR1
                                                                                        MD5:C1270D7DFE9B50EF58128A8A0BDD34D3
                                                                                        SHA1:8AE6DAE0B1B12F22A751902CD95F19F27BCC30FA
                                                                                        SHA-256:F2859E4DA15F04941801E71E6F4384D25EF13DA6F1ED24415D6C2F1CDEDEAF45
                                                                                        SHA-512:B299367DF684BC218723BC478435CAD8F40F7ABD43B5B4DE78F00D0BF4C0EB06639788C26DA64046FDCF2EE850F6D645BF843DB11516497E42C58A14498A835C
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:InnoSetup Log MediaCodecPack, version 0x30, 4678 bytes, 841618\user, "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11"
                                                                                        Category:dropped
                                                                                        Size (bytes):4678
                                                                                        Entropy (8bit):4.7039125257806615
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:dGy/2ydWO38DpTlI+39V+eOIhj/tga7ICSss/LnS/g/xx/U/y/h/JA/M/JK/JncW:dGy/2ydWO3opTl4HIhj/tHICSsAnS/gK
                                                                                        MD5:764098741B89135E292BD40B613D2443
                                                                                        SHA1:2401961671AE77CC40B22177F033BE68D969C322
                                                                                        SHA-256:87274EB9ED3919FF83D5EF74B88CB92D5262AA90212AD62A53FCDA0D350C5662
                                                                                        SHA-512:D9BF278D583B5818C67BD7438771E5BB5DE59A0018E2DFEB76ED5C0D2AC1AA86ABA672C8B835492D0B8801B368E70EEFBB317B517EDDDBCB2C9BC268A5F45A71
                                                                                        Malicious:false
                                                                                        Preview:Inno Setup Uninstall Log (b)....................................MediaCodecPack..................................................................................................................MediaCodecPack..................................................................................................................0.......F...%...............................................................................................................d..J..................P....841618.user1C:\Users\user\AppData\Local\MediaCodecPack 1.0.11.............).G.. ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):717985
                                                                                        Entropy (8bit):6.51490177808013
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:FTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+AIq5MRxyFw:NPcYn5c/rPx37/zHBA6pFptZ1CENqMR1
                                                                                        MD5:C1270D7DFE9B50EF58128A8A0BDD34D3
                                                                                        SHA1:8AE6DAE0B1B12F22A751902CD95F19F27BCC30FA
                                                                                        SHA-256:F2859E4DA15F04941801E71E6F4384D25EF13DA6F1ED24415D6C2F1CDEDEAF45
                                                                                        SHA-512:B299367DF684BC218723BC478435CAD8F40F7ABD43B5B4DE78F00D0BF4C0EB06639788C26DA64046FDCF2EE850F6D645BF843DB11516497E42C58A14498A835C
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                        Process:C:\Users\user\Desktop\steel.exe.2.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):706560
                                                                                        Entropy (8bit):6.506374420963084
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:NTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+AIq5MRxyF:FPcYn5c/rPx37/zHBA6pFptZ1CENqMRU
                                                                                        MD5:ED6A19AD054AD0172201AF725324781B
                                                                                        SHA1:817F409DBE431AE71D3AB4D70181257C3BEE4DBD
                                                                                        SHA-256:79DB034686A25A6BA5DEF19B0CDEDB7097A78F994FB4A1CD33765E0FD49C9423
                                                                                        SHA-512:D5D67F03F50D6EED159BB967735B9AE2ADDA579110D35A23A76BC2DF2B023122805C64E913A2A333B45EE8412F799BAC1538C8D4573DCDA7BB8147ACB6445729
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):2560
                                                                                        Entropy (8bit):2.8818118453929262
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                        MD5:A69559718AB506675E907FE49DEB71E9
                                                                                        SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                        SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                        SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):6144
                                                                                        Entropy (8bit):4.289297026665552
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                        MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                        SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                        SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                        SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                        Malicious:false
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):23312
                                                                                        Entropy (8bit):4.596242908851566
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                        MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                        SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                        SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                        SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                        Malicious:false
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):7.997593488737733
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) a (10002005/4) 98.73%
                                                                                        • Inno Setup installer (109748/4) 1.08%
                                                                                        • Windows Screen Saver (13104/52) 0.13%
                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                        File name:steel.exe.2.exe
                                                                                        File size:3'368'652 bytes
                                                                                        MD5:43869d173a6397de9cf28b79ef8019b2
                                                                                        SHA1:13b9735eddfe589e332adfb4abd089261a13b1d5
                                                                                        SHA256:85a1f3ab935b0d7c803da2d26646b3a50242509fe63041fdee429963256018df
                                                                                        SHA512:22c3c54b03623a2b8ff2e6f3c19f291f450bfbddd75034db96a61a0df1573bff04c92f69d8e144d062873e2bfbd4c15407115c544856941ba0c9cd28c6d25a1e
                                                                                        SSDEEP:98304:MX0tWq4NKGYlXuWa0XuMfL4UrE32SdehZ6ZimSJX2:P8XnYlxrXVfL4UYm3PZmu2
                                                                                        TLSH:D9F533278B4BD031F1D242B5E925821140237FDB1D9C7907729A6D88AED35B6FB1E3A3
                                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                                        Icon Hash:2d2e3797b32b2b99
                                                                                        Entrypoint:0x40a5f8
                                                                                        Entrypoint Section:CODE
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:1
                                                                                        OS Version Minor:0
                                                                                        File Version Major:1
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:1
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                                        Instruction
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        add esp, FFFFFFC4h
                                                                                        push ebx
                                                                                        push esi
                                                                                        push edi
                                                                                        xor eax, eax
                                                                                        mov dword ptr [ebp-10h], eax
                                                                                        mov dword ptr [ebp-24h], eax
                                                                                        call 00007FC2BC4F0D43h
                                                                                        call 00007FC2BC4F1F4Ah
                                                                                        call 00007FC2BC4F21D9h
                                                                                        call 00007FC2BC4F227Ch
                                                                                        call 00007FC2BC4F421Bh
                                                                                        call 00007FC2BC4F6B86h
                                                                                        call 00007FC2BC4F6CEDh
                                                                                        xor eax, eax
                                                                                        push ebp
                                                                                        push 0040ACC9h
                                                                                        push dword ptr fs:[eax]
                                                                                        mov dword ptr fs:[eax], esp
                                                                                        xor edx, edx
                                                                                        push ebp
                                                                                        push 0040AC92h
                                                                                        push dword ptr fs:[edx]
                                                                                        mov dword ptr fs:[edx], esp
                                                                                        mov eax, dword ptr [0040C014h]
                                                                                        call 00007FC2BC4F779Bh
                                                                                        call 00007FC2BC4F7386h
                                                                                        cmp byte ptr [0040B234h], 00000000h
                                                                                        je 00007FC2BC4F827Eh
                                                                                        call 00007FC2BC4F7898h
                                                                                        xor eax, eax
                                                                                        call 00007FC2BC4F1A39h
                                                                                        lea edx, dword ptr [ebp-10h]
                                                                                        xor eax, eax
                                                                                        call 00007FC2BC4F482Bh
                                                                                        mov edx, dword ptr [ebp-10h]
                                                                                        mov eax, 0040CE28h
                                                                                        call 00007FC2BC4F0DDAh
                                                                                        push 00000002h
                                                                                        push 00000000h
                                                                                        push 00000001h
                                                                                        mov ecx, dword ptr [0040CE28h]
                                                                                        mov dl, 01h
                                                                                        mov eax, 0040738Ch
                                                                                        call 00007FC2BC4F50BAh
                                                                                        mov dword ptr [0040CE2Ch], eax
                                                                                        xor edx, edx
                                                                                        push ebp
                                                                                        push 0040AC4Ah
                                                                                        push dword ptr fs:[edx]
                                                                                        mov dword ptr fs:[edx], esp
                                                                                        call 00007FC2BC4F77F6h
                                                                                        mov dword ptr [0040CE34h], eax
                                                                                        mov eax, dword ptr [0040CE34h]
                                                                                        cmp dword ptr [eax+0Ch], 00000000h
                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        CODE0x10000x9d300x9e00c3bd95c4b1a8e5199981e0d9b45fd18cFalse0.6052709651898734data6.631765876950794IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        DATA0xb0000x2500x4001ee71d84f1c77af85f1f5c278f880572False0.306640625data2.751820662285145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        BSS0xc0000xe8c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x100000x8c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x110000x2c000x2c00d9528013c09bacd4e7729b48219602d7False0.3253728693181818data4.491224264762356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                        RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                        RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                        RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                        RT_STRING0x125740x2f2data0.35543766578249336
                                                                                        RT_STRING0x128680x30cdata0.3871794871794872
                                                                                        RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                        RT_STRING0x12e440x68data0.75
                                                                                        RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                        RT_STRING0x12f600xaedata0.5344827586206896
                                                                                        RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                                        RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                        RT_VERSION0x1307c0x4f4dataEnglishUnited States0.2610410094637224
                                                                                        RT_MANIFEST0x135700x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024
                                                                                        DLLImport
                                                                                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                        user32.dllMessageBoxA
                                                                                        oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                        kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                        user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                        comctl32.dllInitCommonControls
                                                                                        advapi32.dllAdjustTokenPrivileges
                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        DutchNetherlands
                                                                                        EnglishUnited States
                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-12-18T14:02:38.997500+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949836188.119.66.185443TCP
                                                                                        2024-12-18T14:02:39.668902+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949836188.119.66.185443TCP
                                                                                        2024-12-18T14:02:41.447393+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949843188.119.66.185443TCP
                                                                                        2024-12-18T14:02:42.214092+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949843188.119.66.185443TCP
                                                                                        2024-12-18T14:02:43.771409+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949849188.119.66.185443TCP
                                                                                        2024-12-18T14:02:44.454814+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949849188.119.66.185443TCP
                                                                                        2024-12-18T14:02:46.207571+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949855188.119.66.185443TCP
                                                                                        2024-12-18T14:02:47.071355+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949855188.119.66.185443TCP
                                                                                        2024-12-18T14:02:48.820434+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949865188.119.66.185443TCP
                                                                                        2024-12-18T14:02:49.513241+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949865188.119.66.185443TCP
                                                                                        2024-12-18T14:02:51.263898+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949871188.119.66.185443TCP
                                                                                        2024-12-18T14:02:51.958257+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949871188.119.66.185443TCP
                                                                                        2024-12-18T14:02:53.759673+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949877188.119.66.185443TCP
                                                                                        2024-12-18T14:02:54.687383+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949877188.119.66.185443TCP
                                                                                        2024-12-18T14:02:56.369688+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949884188.119.66.185443TCP
                                                                                        2024-12-18T14:02:57.186156+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949884188.119.66.185443TCP
                                                                                        2024-12-18T14:02:58.974799+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949890188.119.66.185443TCP
                                                                                        2024-12-18T14:02:59.659924+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949890188.119.66.185443TCP
                                                                                        2024-12-18T14:03:01.474713+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949896188.119.66.185443TCP
                                                                                        2024-12-18T14:03:02.323108+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949896188.119.66.185443TCP
                                                                                        2024-12-18T14:03:04.385392+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949902188.119.66.185443TCP
                                                                                        2024-12-18T14:03:05.488565+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949902188.119.66.185443TCP
                                                                                        2024-12-18T14:03:07.084542+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949912188.119.66.185443TCP
                                                                                        2024-12-18T14:03:07.782427+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949912188.119.66.185443TCP
                                                                                        2024-12-18T14:03:09.709304+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949918188.119.66.185443TCP
                                                                                        2024-12-18T14:03:10.408996+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949918188.119.66.185443TCP
                                                                                        2024-12-18T14:03:12.248024+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949924188.119.66.185443TCP
                                                                                        2024-12-18T14:03:12.932853+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949924188.119.66.185443TCP
                                                                                        2024-12-18T14:03:14.996406+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949931188.119.66.185443TCP
                                                                                        2024-12-18T14:03:15.676865+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949931188.119.66.185443TCP
                                                                                        2024-12-18T14:03:17.262780+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949941188.119.66.185443TCP
                                                                                        2024-12-18T14:03:18.014075+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949941188.119.66.185443TCP
                                                                                        2024-12-18T14:03:19.614540+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949947188.119.66.185443TCP
                                                                                        2024-12-18T14:03:20.294663+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949947188.119.66.185443TCP
                                                                                        2024-12-18T14:03:21.877527+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949953188.119.66.185443TCP
                                                                                        2024-12-18T14:03:22.610376+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949953188.119.66.185443TCP
                                                                                        2024-12-18T14:03:24.276074+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949959188.119.66.185443TCP
                                                                                        2024-12-18T14:03:25.061860+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949959188.119.66.185443TCP
                                                                                        2024-12-18T14:03:26.827518+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949965188.119.66.185443TCP
                                                                                        2024-12-18T14:03:27.564892+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949965188.119.66.185443TCP
                                                                                        2024-12-18T14:03:29.447269+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949971188.119.66.185443TCP
                                                                                        2024-12-18T14:03:30.176297+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949971188.119.66.185443TCP
                                                                                        2024-12-18T14:03:31.915590+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949977188.119.66.185443TCP
                                                                                        2024-12-18T14:03:32.767477+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949977188.119.66.185443TCP
                                                                                        2024-12-18T14:03:34.501193+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949983188.119.66.185443TCP
                                                                                        2024-12-18T14:03:35.311060+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949983188.119.66.185443TCP
                                                                                        2024-12-18T14:03:36.885022+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949989188.119.66.185443TCP
                                                                                        2024-12-18T14:03:37.589407+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949989188.119.66.185443TCP
                                                                                        2024-12-18T14:03:39.406824+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949995188.119.66.185443TCP
                                                                                        2024-12-18T14:03:40.179824+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949995188.119.66.185443TCP
                                                                                        2024-12-18T14:03:41.956892+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949998188.119.66.185443TCP
                                                                                        2024-12-18T14:03:42.637303+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949998188.119.66.185443TCP
                                                                                        2024-12-18T14:03:44.230138+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949999188.119.66.185443TCP
                                                                                        2024-12-18T14:03:44.930555+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949999188.119.66.185443TCP
                                                                                        2024-12-18T14:03:46.776754+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.950000188.119.66.185443TCP
                                                                                        2024-12-18T14:03:47.452673+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.950000188.119.66.185443TCP
                                                                                        2024-12-18T14:03:49.109038+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.950001188.119.66.185443TCP
                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 18, 2024 14:02:37.313215017 CET49836443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:37.313254118 CET44349836188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:37.313504934 CET49836443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:37.328747988 CET49836443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:37.328764915 CET44349836188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:38.997390032 CET44349836188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:38.997499943 CET49836443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:39.049633026 CET49836443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:39.049647093 CET44349836188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:39.049999952 CET44349836188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:39.050065041 CET49836443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:39.053747892 CET49836443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:39.095334053 CET44349836188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:39.668411970 CET44349836188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:39.668490887 CET44349836188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:39.668540001 CET49836443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:39.668540001 CET49836443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:39.672535896 CET49836443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:39.672566891 CET44349836188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:39.790606976 CET49843443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:39.790640116 CET44349843188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:39.791335106 CET49843443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:39.791623116 CET49843443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:39.791632891 CET44349843188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:41.445225954 CET44349843188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:41.447392941 CET49843443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:41.447889090 CET49843443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:41.447895050 CET44349843188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:41.448103905 CET49843443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:41.448107958 CET44349843188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:42.214108944 CET44349843188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:42.214170933 CET44349843188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:42.214236975 CET49843443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:42.214550018 CET49843443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:42.214566946 CET44349843188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:42.321892977 CET49849443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:42.321934938 CET44349849188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:42.322061062 CET49849443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:42.322325945 CET49849443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:42.322340965 CET44349849188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:43.771308899 CET44349849188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:43.771409035 CET49849443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:43.772332907 CET49849443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:43.772347927 CET44349849188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:43.772510052 CET49849443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:43.772515059 CET44349849188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:44.454859018 CET44349849188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:44.454927921 CET44349849188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:44.455046892 CET49849443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:44.455081940 CET49849443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:44.455301046 CET49849443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:44.455324888 CET44349849188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:44.572068930 CET49855443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:44.572114944 CET44349855188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:44.572211981 CET49855443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:44.572469950 CET49855443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:44.572483063 CET44349855188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:46.207385063 CET44349855188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:46.207571030 CET49855443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:46.208169937 CET49855443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:46.208187103 CET44349855188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:46.208343983 CET49855443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:46.208350897 CET44349855188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:47.071382046 CET44349855188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:47.071455002 CET44349855188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:47.071458101 CET49855443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:47.071496010 CET49855443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:47.071639061 CET49855443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:47.071656942 CET44349855188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:47.349395990 CET49865443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:47.349430084 CET44349865188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:47.349498987 CET49865443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:47.349818945 CET49865443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:47.349831104 CET44349865188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:48.820342064 CET44349865188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:48.820434093 CET49865443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:48.821608067 CET49865443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:48.821614981 CET44349865188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:48.821845055 CET49865443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:48.821851969 CET44349865188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:49.513269901 CET44349865188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:49.513350964 CET49865443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:49.513351917 CET44349865188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:49.513403893 CET49865443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:49.513585091 CET49865443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:49.513593912 CET44349865188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:49.619822025 CET49871443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:49.619873047 CET44349871188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:49.619944096 CET49871443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:49.620311022 CET49871443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:49.620322943 CET44349871188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:51.261945009 CET44349871188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:51.263897896 CET49871443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:51.264377117 CET49871443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:51.264384031 CET44349871188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:51.264642954 CET49871443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:51.264648914 CET44349871188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:51.958364010 CET44349871188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:51.958456993 CET49871443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:51.958478928 CET44349871188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:51.958518028 CET44349871188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:51.958520889 CET49871443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:51.958570957 CET49871443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:51.958686113 CET49871443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:51.958700895 CET44349871188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:52.072478056 CET49877443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:52.072521925 CET44349877188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:52.072612047 CET49877443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:52.073004961 CET49877443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:52.073023081 CET44349877188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:53.759439945 CET44349877188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:53.759673119 CET49877443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:53.760159969 CET49877443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:53.760169029 CET44349877188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:53.760354996 CET49877443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:53.760360003 CET44349877188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:54.687232971 CET44349877188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:54.687309980 CET44349877188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:54.687325954 CET49877443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:54.687355995 CET49877443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:54.687668085 CET49877443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:54.687681913 CET44349877188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:54.809403896 CET49884443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:54.809456110 CET44349884188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:54.809547901 CET49884443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:54.809912920 CET49884443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:54.809926033 CET44349884188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:56.369613886 CET44349884188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:56.369688034 CET49884443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:56.370245934 CET49884443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:56.370260954 CET44349884188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:56.370491028 CET49884443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:56.370497942 CET44349884188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:57.186203957 CET44349884188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:57.186286926 CET44349884188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:57.186476946 CET49884443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:57.186847925 CET49884443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:57.186865091 CET44349884188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:57.308729887 CET49890443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:57.308779001 CET44349890188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:57.308885098 CET49890443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:57.309253931 CET49890443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:57.309271097 CET44349890188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:58.974730968 CET44349890188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:58.974798918 CET49890443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:58.975370884 CET49890443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:58.975378990 CET44349890188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:58.975573063 CET49890443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:58.975579023 CET44349890188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:59.660027027 CET44349890188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:59.660177946 CET49890443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:59.660196066 CET44349890188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:59.660219908 CET44349890188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:59.660240889 CET49890443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:59.660268068 CET49890443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:59.660448074 CET49890443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:59.660463095 CET44349890188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:59.775342941 CET49896443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:59.775383949 CET44349896188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:02:59.775512934 CET49896443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:59.775888920 CET49896443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:02:59.775903940 CET44349896188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:01.474539042 CET44349896188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:01.474713087 CET49896443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:01.475554943 CET49896443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:01.475564957 CET44349896188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:01.475740910 CET49896443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:01.475744009 CET44349896188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:02.323092937 CET44349896188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:02.323156118 CET44349896188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:02.323338032 CET49896443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:02.323904991 CET49896443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:02.323916912 CET44349896188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:02.431660891 CET49902443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:02.431713104 CET44349902188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:02.431879044 CET49902443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:02.432142019 CET49902443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:02.432154894 CET44349902188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:04.384879112 CET44349902188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:04.385391951 CET49902443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:04.385962963 CET49902443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:04.385973930 CET44349902188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:04.386178970 CET49902443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:04.386184931 CET44349902188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:05.488589048 CET44349902188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:05.488670111 CET44349902188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:05.488806009 CET49902443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:05.489012003 CET49902443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:05.489033937 CET44349902188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:05.603307962 CET49912443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:05.603358030 CET44349912188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:05.603718996 CET49912443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:05.604017019 CET49912443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:05.604028940 CET44349912188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:07.084407091 CET44349912188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:07.084542036 CET49912443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:07.085283995 CET49912443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:07.085295916 CET44349912188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:07.085381985 CET49912443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:07.085387945 CET44349912188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:07.782465935 CET44349912188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:07.782557964 CET44349912188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:07.782596111 CET49912443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:07.782658100 CET49912443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:07.782820940 CET49912443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:07.782841921 CET44349912188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:07.900952101 CET49918443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:07.900979996 CET44349918188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:07.901062012 CET49918443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:07.901334047 CET49918443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:07.901344061 CET44349918188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:09.709140062 CET44349918188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:09.709304094 CET49918443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:09.709956884 CET49918443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:09.709964037 CET44349918188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:09.710160017 CET49918443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:09.710165024 CET44349918188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:10.409007072 CET44349918188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:10.409070015 CET49918443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:10.409090042 CET44349918188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:10.409107924 CET44349918188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:10.409131050 CET49918443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:10.409162998 CET49918443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:10.409735918 CET49918443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:10.409749985 CET44349918188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:10.601130009 CET49924443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:10.601166010 CET44349924188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:10.601233959 CET49924443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:10.604106903 CET49924443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:10.604125023 CET44349924188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:12.247879982 CET44349924188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:12.248023987 CET49924443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:12.248558044 CET49924443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:12.248569965 CET44349924188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:12.248771906 CET49924443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:12.248778105 CET44349924188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:12.932873011 CET44349924188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:12.932945013 CET44349924188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:12.933007002 CET49924443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:12.933022976 CET49924443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:13.088042974 CET49924443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:13.088078022 CET44349924188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:13.322645903 CET49931443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:13.322689056 CET44349931188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:13.322762012 CET49931443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:13.355144978 CET49931443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:13.355161905 CET44349931188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:14.995445967 CET44349931188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:14.996406078 CET49931443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:14.996922016 CET49931443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:14.996936083 CET44349931188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:14.997174978 CET49931443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:14.997180939 CET44349931188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:15.676882982 CET44349931188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:15.677009106 CET44349931188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:15.677289009 CET49931443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:15.688864946 CET49931443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:15.688884974 CET44349931188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:15.806370020 CET49941443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:15.806400061 CET44349941188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:15.806519985 CET49941443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:15.806729078 CET49941443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:15.806734085 CET44349941188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:17.262664080 CET44349941188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:17.262779951 CET49941443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:17.263292074 CET49941443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:17.263295889 CET44349941188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:17.265204906 CET49941443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:17.265211105 CET44349941188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:18.014080048 CET44349941188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:18.014132977 CET49941443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:18.014146090 CET44349941188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:18.014190912 CET49941443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:18.014208078 CET44349941188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:18.014259100 CET49941443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:18.014643908 CET49941443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:18.014656067 CET44349941188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:18.150762081 CET49947443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:18.150808096 CET44349947188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:18.150866032 CET49947443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:18.151556015 CET49947443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:18.151576996 CET44349947188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:19.614422083 CET44349947188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:19.614540100 CET49947443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:19.615010023 CET49947443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:19.615016937 CET44349947188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:19.615282059 CET49947443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:19.615287066 CET44349947188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:20.294706106 CET44349947188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:20.294771910 CET44349947188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:20.294785023 CET49947443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:20.294821024 CET49947443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:20.294986963 CET49947443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:20.294996977 CET44349947188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:20.400556087 CET49953443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:20.400593042 CET44349953188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:20.400691032 CET49953443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:20.401096106 CET49953443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:20.401115894 CET44349953188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:21.874034882 CET44349953188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:21.877526999 CET49953443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:21.878089905 CET49953443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:21.878098965 CET44349953188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:21.878387928 CET49953443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:21.878401995 CET44349953188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:22.610405922 CET44349953188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:22.610476971 CET44349953188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:22.610624075 CET49953443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:22.611469984 CET49953443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:22.611490011 CET44349953188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:22.729063034 CET49959443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:22.729104042 CET44349959188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:22.729268074 CET49959443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:22.729743958 CET49959443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:22.729760885 CET44349959188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:24.276002884 CET44349959188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:24.276073933 CET49959443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:24.286904097 CET49959443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:24.286911964 CET44349959188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:24.287347078 CET49959443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:24.287352085 CET44349959188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:25.061836958 CET44349959188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:25.061899900 CET49959443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:25.061908960 CET44349959188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:25.061933994 CET44349959188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:25.061954021 CET49959443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:25.061974049 CET49959443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:25.062191010 CET49959443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:25.062202930 CET44349959188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:25.181673050 CET49965443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:25.181710005 CET44349965188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:25.181940079 CET49965443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:25.182097912 CET49965443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:25.182111025 CET44349965188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:26.826723099 CET44349965188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:26.827517986 CET49965443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:26.985039949 CET49965443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:26.985050917 CET44349965188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:26.991141081 CET49965443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:26.991144896 CET44349965188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:27.564902067 CET44349965188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:27.565025091 CET49965443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:27.565052986 CET44349965188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:27.565107107 CET49965443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:27.565140963 CET44349965188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:27.565155983 CET44349965188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:27.565200090 CET49965443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:27.565222025 CET49965443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:27.565551043 CET49965443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:27.565566063 CET44349965188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:27.685062885 CET49971443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:27.685106039 CET44349971188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:27.685178041 CET49971443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:27.685600042 CET49971443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:27.685615063 CET44349971188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:29.447154045 CET44349971188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:29.447268963 CET49971443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:29.447741985 CET49971443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:29.447755098 CET44349971188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:29.447959900 CET49971443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:29.447963953 CET44349971188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:30.176273108 CET44349971188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:30.176356077 CET44349971188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:30.176515102 CET49971443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:30.176515102 CET49971443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:30.176961899 CET49971443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:30.176975965 CET44349971188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:30.291304111 CET49977443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:30.291352987 CET44349977188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:30.291440964 CET49977443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:30.291826010 CET49977443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:30.291836977 CET44349977188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:31.915465117 CET44349977188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:31.915590048 CET49977443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:31.916115046 CET49977443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:31.916122913 CET44349977188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:31.916233063 CET49977443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:31.916239023 CET44349977188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:32.767505884 CET44349977188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:32.767590046 CET44349977188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:32.767664909 CET49977443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:32.767679930 CET49977443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:32.767980099 CET49977443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:32.767993927 CET44349977188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:32.884879112 CET49983443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:32.884933949 CET44349983188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:32.885036945 CET49983443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:32.885304928 CET49983443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:32.885320902 CET44349983188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:34.501125097 CET44349983188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:34.501193047 CET49983443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:34.501740932 CET49983443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:34.501746893 CET44349983188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:34.501934052 CET49983443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:34.501939058 CET44349983188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:35.311083078 CET44349983188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:35.311151028 CET49983443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:35.311172962 CET44349983188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:35.311187029 CET44349983188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:35.311233997 CET49983443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:35.311470032 CET49983443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:35.311485052 CET44349983188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:35.431778908 CET49989443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:35.431806087 CET44349989188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:35.431894064 CET49989443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:35.432235003 CET49989443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:35.432246923 CET44349989188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:36.884934902 CET44349989188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:36.885021925 CET49989443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:36.885713100 CET49989443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:36.885720015 CET44349989188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:36.885854006 CET49989443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:36.885858059 CET44349989188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:37.589430094 CET44349989188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:37.589504957 CET44349989188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:37.589526892 CET49989443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:37.589548111 CET49989443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:37.589765072 CET49989443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:37.589787960 CET44349989188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:37.697277069 CET49995443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:37.697319984 CET44349995188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:37.697408915 CET49995443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:37.697715044 CET49995443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:37.697737932 CET44349995188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:39.406754971 CET44349995188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:39.406824112 CET49995443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:39.407399893 CET49995443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:39.407414913 CET44349995188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:39.407623053 CET49995443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:39.407634020 CET44349995188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:40.179850101 CET44349995188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:40.179945946 CET44349995188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:40.180058956 CET49995443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:40.180222988 CET49995443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:40.180236101 CET44349995188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:40.293838978 CET49998443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:40.293898106 CET44349998188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:40.294013023 CET49998443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:40.294285059 CET49998443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:40.294294119 CET44349998188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:41.955550909 CET44349998188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:41.956892014 CET49998443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:41.959947109 CET49998443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:41.959954023 CET44349998188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:41.962518930 CET49998443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:41.962523937 CET44349998188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:42.637363911 CET44349998188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:42.637562037 CET44349998188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:42.637810946 CET49998443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:42.637978077 CET49998443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:42.637994051 CET44349998188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:42.779795885 CET49999443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:42.779859066 CET44349999188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:42.779926062 CET49999443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:42.780270100 CET49999443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:42.780292034 CET44349999188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:44.230070114 CET44349999188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:44.230138063 CET49999443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:44.231134892 CET49999443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:44.231144905 CET44349999188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:44.242997885 CET49999443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:44.243021965 CET44349999188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:44.930573940 CET44349999188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:44.930661917 CET44349999188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:44.930836916 CET49999443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:45.179064989 CET49999443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:45.179102898 CET44349999188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:45.324004889 CET50000443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:45.324054003 CET44350000188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:45.324389935 CET50000443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:45.327285051 CET50000443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:45.327322006 CET44350000188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:46.776700974 CET44350000188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:46.776753902 CET50000443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:46.777254105 CET50000443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:46.777262926 CET44350000188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:46.779866934 CET50000443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:46.779885054 CET44350000188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:47.452650070 CET44350000188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:47.452723980 CET44350000188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:47.452732086 CET50000443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:47.453808069 CET50000443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:47.453883886 CET50000443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:47.453902960 CET44350000188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:47.575320005 CET50001443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:47.575364113 CET44350001188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:47.575546980 CET50001443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:47.575793982 CET50001443192.168.2.9188.119.66.185
                                                                                        Dec 18, 2024 14:03:47.575809002 CET44350001188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:49.108788013 CET44350001188.119.66.185192.168.2.9
                                                                                        Dec 18, 2024 14:03:49.109038115 CET50001443192.168.2.9188.119.66.185
                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Dec 18, 2024 14:01:37.911710024 CET1.1.1.1192.168.2.90x13f2No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                        Dec 18, 2024 14:01:37.911710024 CET1.1.1.1192.168.2.90x13f2No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                        • 188.119.66.185
                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.949836188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:02:39 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:02:39 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:02:39 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:02:39 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.949843188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:02:41 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:02:42 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:02:41 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:02:42 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        2192.168.2.949849188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:02:43 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:02:44 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:02:44 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:02:44 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        3192.168.2.949855188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:02:46 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:02:47 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:02:46 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:02:47 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        4192.168.2.949865188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:02:48 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:02:49 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:02:49 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:02:49 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        5192.168.2.949871188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:02:51 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:02:51 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:02:51 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:02:51 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        6192.168.2.949877188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:02:53 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:02:54 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:02:54 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:02:54 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        7192.168.2.949884188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:02:56 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:02:57 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:02:56 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:02:57 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        8192.168.2.949890188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:02:58 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:02:59 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:02:59 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:02:59 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        9192.168.2.949896188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:01 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:02 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:02 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:02 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        10192.168.2.949902188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:04 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:05 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:05 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:05 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        11192.168.2.949912188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:07 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:07 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:07 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:07 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        12192.168.2.949918188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:09 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:10 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:10 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:10 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        13192.168.2.949924188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:12 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:12 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:12 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:12 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        14192.168.2.949931188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:14 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:15 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:15 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:15 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        15192.168.2.949941188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:17 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:18 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:17 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:18 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        16192.168.2.949947188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:19 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:20 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:20 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:20 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        17192.168.2.949953188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:21 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:22 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:22 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:22 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        18192.168.2.949959188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:24 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:25 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:24 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:25 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        19192.168.2.949965188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:26 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:27 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:27 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:27 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        20192.168.2.949971188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:29 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:30 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:29 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:30 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        21192.168.2.949977188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:31 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:32 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:32 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:32 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        22192.168.2.949983188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:34 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:35 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:35 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:35 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        23192.168.2.949989188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:36 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:37 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:37 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:37 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        24192.168.2.949995188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:39 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:40 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:39 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:40 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        25192.168.2.949998188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:41 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:42 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:42 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:42 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        26192.168.2.949999188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:44 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:44 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:44 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:44 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        27192.168.2.950000188.119.66.1854433444C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-18 13:03:46 UTC283OUTGET /ai/?key=8f3f2b3ab71046392219e2a5231e72eee7c4db7e40b82a8dcd6c946851e30088dd3250aa15d405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fda3688 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                        Host: 188.119.66.185
                                                                                        2024-12-18 13:03:47 UTC200INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                        Date: Wed, 18 Dec 2024 13:03:47 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/7.4.33
                                                                                        2024-12-18 13:03:47 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: e8b723663ec13250


                                                                                        Click to jump to process

                                                                                        Click to jump to process

                                                                                        Click to dive into process behavior distribution

                                                                                        Click to jump to process

                                                                                        Target ID:0
                                                                                        Start time:08:01:41
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Users\user\Desktop\steel.exe.2.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\steel.exe.2.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:3'368'652 bytes
                                                                                        MD5 hash:43869D173A6397DE9CF28B79EF8019B2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low
                                                                                        Has exited:false

                                                                                        Target ID:1
                                                                                        Start time:08:01:41
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-86CS2.tmp\steel.exe.2.tmp" /SL5="$203CE,3119679,56832,C:\Users\user\Desktop\steel.exe.2.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:706'560 bytes
                                                                                        MD5 hash:ED6A19AD054AD0172201AF725324781B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.2613496883.0000000005E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:false

                                                                                        Target ID:3
                                                                                        Start time:08:01:42
                                                                                        Start date:18/12/2024
                                                                                        Path:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -i
                                                                                        Imagebase:0x400000
                                                                                        File size:3'193'560 bytes
                                                                                        MD5 hash:B69E5FA299A1F14503BE46E4D762D943
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.2612183102.0000000002B13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.1365113971.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        Reputation:low
                                                                                        Has exited:false

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:21.5%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:2.4%
                                                                                          Total number of Nodes:1520
                                                                                          Total number of Limit Nodes:22
                                                                                          execution_graph 5445 407548 5446 407554 CloseHandle 5445->5446 5447 40755d 5445->5447 5446->5447 6682 402b48 RaiseException 5887 407749 5888 4076dc WriteFile 5887->5888 5893 407724 5887->5893 5889 4076e8 5888->5889 5890 4076ef 5888->5890 5891 40748c 35 API calls 5889->5891 5892 407700 5890->5892 5894 4073ec 34 API calls 5890->5894 5891->5890 5893->5887 5895 4077e0 5893->5895 5894->5892 5896 4078db InterlockedExchange 5895->5896 5898 407890 5895->5898 5897 4078e7 5896->5897 6683 40294a 6684 402952 6683->6684 6685 402967 6684->6685 6686 403554 4 API calls 6684->6686 6686->6684 6687 403f4a 6688 403f53 6687->6688 6689 403f5c 6687->6689 6691 403f07 6688->6691 6694 403f09 6691->6694 6693 403f3c 6693->6689 6695 403154 4 API calls 6694->6695 6697 403e9c 6694->6697 6700 403f3d 6694->6700 6714 403e9c 6694->6714 6695->6694 6696 403ef2 6699 402674 4 API calls 6696->6699 6697->6693 6697->6696 6702 403ea9 6697->6702 6705 403e8e 6697->6705 6704 403ecf 6699->6704 6700->6689 6703 402674 4 API calls 6702->6703 6702->6704 6703->6704 6704->6689 6706 403e4c 6705->6706 6707 403e62 6706->6707 6708 403e7b 6706->6708 6710 403e67 6706->6710 6709 403cc8 4 API calls 6707->6709 6711 402674 4 API calls 6708->6711 6709->6710 6712 403e78 6710->6712 6713 402674 4 API calls 6710->6713 6711->6712 6712->6696 6712->6702 6713->6712 6715 403ed7 6714->6715 6721 403ea9 6714->6721 6716 403ef2 6715->6716 6718 403e8e 4 API calls 6715->6718 6719 402674 4 API calls 6716->6719 6717 403ecf 6717->6694 6720 403ee6 6718->6720 6719->6717 6720->6716 6720->6721 6721->6717 6722 402674 4 API calls 6721->6722 6722->6717 6241 40ac4f 6242 40abc1 6241->6242 6243 4094d8 9 API calls 6242->6243 6245 40abed 6242->6245 6243->6245 6244 40ac06 6246 40ac1a 6244->6246 6247 40ac0f DestroyWindow 6244->6247 6245->6244 6248 40ac00 RemoveDirectoryA 6245->6248 6249 40ac42 6246->6249 6250 40357c 4 API calls 6246->6250 6247->6246 6248->6244 6251 40ac38 6250->6251 6252 4025ac 4 API calls 6251->6252 6252->6249 6253 403a52 6254 403a74 6253->6254 6255 403a5a WriteFile 6253->6255 6255->6254 6256 403a78 GetLastError 6255->6256 6256->6254 6257 402654 6258 403154 4 API calls 6257->6258 6259 402614 6258->6259 6260 402632 6259->6260 6261 403154 4 API calls 6259->6261 6260->6260 6261->6260 6262 40ac56 6263 40ac5d 6262->6263 6265 40ac88 6262->6265 6272 409448 6263->6272 6267 403198 4 API calls 6265->6267 6266 40ac62 6266->6265 6269 40ac80 MessageBoxA 6266->6269 6268 40acc0 6267->6268 6270 403198 4 API calls 6268->6270 6269->6265 6271 40acc8 6270->6271 6273 409454 GetCurrentProcess OpenProcessToken 6272->6273 6274 4094af ExitWindowsEx 6272->6274 6275 409466 6273->6275 6276 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6273->6276 6274->6275 6275->6266 6276->6274 6276->6275 6731 40995e 6733 409960 6731->6733 6732 409982 6733->6732 6734 40999e CallWindowProcA 6733->6734 6734->6732 6735 409960 6736 409982 6735->6736 6738 40996f 6735->6738 6737 40999e CallWindowProcA 6737->6736 6738->6736 6738->6737 6739 405160 6740 405173 6739->6740 6741 404e58 33 API calls 6740->6741 6742 405187 6741->6742 6277 402e64 6278 402e69 6277->6278 6279 402e7a RtlUnwind 6278->6279 6280 402e5e 6278->6280 6281 402e9d 6279->6281 5899 40766c SetFilePointer 5900 4076a3 5899->5900 5901 407693 GetLastError 5899->5901 5901->5900 5902 40769c 5901->5902 5903 40748c 35 API calls 5902->5903 5903->5900 6294 40667c IsDBCSLeadByte 6295 406694 6294->6295 6755 403f7d 6756 403fa2 6755->6756 6759 403f84 6755->6759 6758 403e8e 4 API calls 6756->6758 6756->6759 6757 403f8c 6758->6759 6759->6757 6760 402674 4 API calls 6759->6760 6761 403fca 6760->6761 6762 403d02 6768 403d12 6762->6768 6763 403ddf ExitProcess 6764 403db8 6765 403cc8 4 API calls 6764->6765 6767 403dc2 6765->6767 6766 403dea 6769 403cc8 4 API calls 6767->6769 6768->6763 6768->6764 6768->6766 6768->6768 6772 403da4 6768->6772 6773 403d8f MessageBoxA 6768->6773 6770 403dcc 6769->6770 6782 4019dc 6770->6782 6778 403fe4 6772->6778 6773->6764 6774 403dd1 6774->6763 6774->6766 6779 403fe8 6778->6779 6780 403f07 4 API calls 6779->6780 6781 404006 6780->6781 6783 401abb 6782->6783 6784 4019ed 6782->6784 6783->6774 6785 401a04 RtlEnterCriticalSection 6784->6785 6786 401a0e LocalFree 6784->6786 6785->6786 6787 401a41 6786->6787 6788 401a2f VirtualFree 6787->6788 6789 401a49 6787->6789 6788->6787 6790 401a70 LocalFree 6789->6790 6791 401a87 6789->6791 6790->6790 6790->6791 6792 401aa9 RtlDeleteCriticalSection 6791->6792 6793 401a9f RtlLeaveCriticalSection 6791->6793 6792->6774 6793->6792 6300 404206 6301 4041cc 6300->6301 6304 40420a 6300->6304 6302 404282 6303 403154 4 API calls 6305 404323 6303->6305 6304->6302 6304->6303 6306 402c08 6307 402c82 6306->6307 6310 402c19 6306->6310 6308 402c56 RtlUnwind 6309 403154 4 API calls 6308->6309 6309->6307 6310->6307 6310->6308 6313 402b28 6310->6313 6314 402b31 RaiseException 6313->6314 6315 402b47 6313->6315 6314->6315 6315->6308 6316 408c10 6317 408c17 6316->6317 6318 403198 4 API calls 6317->6318 6326 408cb1 6318->6326 6319 408cdc 6320 4031b8 4 API calls 6319->6320 6321 408d69 6320->6321 6322 408cc8 6324 4032fc 18 API calls 6322->6324 6323 403278 18 API calls 6323->6326 6324->6319 6325 4032fc 18 API calls 6325->6326 6326->6319 6326->6322 6326->6323 6326->6325 6331 40a814 6332 40a839 6331->6332 6333 40993c 29 API calls 6332->6333 6336 40a83e 6333->6336 6334 40a891 6365 4026c4 GetSystemTime 6334->6365 6336->6334 6339 408dd8 18 API calls 6336->6339 6337 40a896 6338 409330 46 API calls 6337->6338 6340 40a89e 6338->6340 6341 40a86d 6339->6341 6342 4031e8 18 API calls 6340->6342 6345 40a875 MessageBoxA 6341->6345 6343 40a8ab 6342->6343 6344 406928 19 API calls 6343->6344 6346 40a8b8 6344->6346 6345->6334 6347 40a882 6345->6347 6348 4066c0 19 API calls 6346->6348 6349 405864 19 API calls 6347->6349 6350 40a8c8 6348->6350 6349->6334 6351 406638 19 API calls 6350->6351 6352 40a8d9 6351->6352 6353 403340 18 API calls 6352->6353 6354 40a8e7 6353->6354 6355 4031e8 18 API calls 6354->6355 6356 40a8f7 6355->6356 6357 4074e0 37 API calls 6356->6357 6358 40a936 6357->6358 6359 402594 18 API calls 6358->6359 6360 40a956 6359->6360 6361 407a28 19 API calls 6360->6361 6362 40a998 6361->6362 6363 407cb8 35 API calls 6362->6363 6364 40a9bf 6363->6364 6365->6337 5443 407017 5444 407008 SetErrorMode 5443->5444 6366 403018 6367 403070 6366->6367 6368 403025 6366->6368 6369 40302a RtlUnwind 6368->6369 6370 40304e 6369->6370 6372 402f78 6370->6372 6373 402be8 6370->6373 6374 402bf1 RaiseException 6373->6374 6375 402c04 6373->6375 6374->6375 6375->6367 6380 40901e 6381 409010 6380->6381 6382 408fac Wow64RevertWow64FsRedirection 6381->6382 6383 409018 6382->6383 6384 409020 SetLastError 6385 409029 6384->6385 6400 403a28 ReadFile 6401 403a46 6400->6401 6402 403a49 GetLastError 6400->6402 5904 40762c ReadFile 5905 407663 5904->5905 5906 40764c 5904->5906 5907 407652 GetLastError 5906->5907 5908 40765c 5906->5908 5907->5905 5907->5908 5909 40748c 35 API calls 5908->5909 5909->5905 6804 40712e 6805 407118 6804->6805 6806 403198 4 API calls 6805->6806 6807 407120 6806->6807 6808 403198 4 API calls 6807->6808 6809 407128 6808->6809 5924 40a82f 5925 409ae8 18 API calls 5924->5925 5926 40a834 5925->5926 5927 40a839 5926->5927 5928 402f24 5 API calls 5926->5928 5961 40993c 5927->5961 5928->5927 5930 40a891 5966 4026c4 GetSystemTime 5930->5966 5932 40a83e 5932->5930 6027 408dd8 5932->6027 5933 40a896 5967 409330 5933->5967 5937 40a86d 5941 40a875 MessageBoxA 5937->5941 5938 4031e8 18 API calls 5939 40a8ab 5938->5939 5985 406928 5939->5985 5941->5930 5943 40a882 5941->5943 6030 405864 5943->6030 5948 40a8d9 6012 403340 5948->6012 5950 40a8e7 5951 4031e8 18 API calls 5950->5951 5952 40a8f7 5951->5952 5953 4074e0 37 API calls 5952->5953 5954 40a936 5953->5954 5955 402594 18 API calls 5954->5955 5956 40a956 5955->5956 5957 407a28 19 API calls 5956->5957 5958 40a998 5957->5958 5959 407cb8 35 API calls 5958->5959 5960 40a9bf 5959->5960 6034 40953c 5961->6034 5964 4098cc 19 API calls 5965 40995c 5964->5965 5965->5932 5966->5933 5976 409350 5967->5976 5970 409375 CreateDirectoryA 5971 4093ed 5970->5971 5972 40937f GetLastError 5970->5972 5973 40322c 4 API calls 5971->5973 5972->5976 5974 4093f7 5973->5974 5977 4031b8 4 API calls 5974->5977 5975 408dd8 18 API calls 5975->5976 5976->5970 5976->5975 5978 404c94 33 API calls 5976->5978 5981 407284 19 API calls 5976->5981 5983 408da8 18 API calls 5976->5983 5984 405890 18 API calls 5976->5984 6090 406cf4 5976->6090 6113 409224 5976->6113 5979 409411 5977->5979 5978->5976 5980 4031b8 4 API calls 5979->5980 5982 40941e 5980->5982 5981->5976 5982->5938 5983->5976 5984->5976 6219 406820 5985->6219 5988 403454 18 API calls 5989 40694a 5988->5989 5990 4066c0 5989->5990 6224 4068e4 5990->6224 5993 4066f0 5995 403340 18 API calls 5993->5995 5994 4066fe 5996 403454 18 API calls 5994->5996 5998 4066fc 5995->5998 5997 406711 5996->5997 5999 403340 18 API calls 5997->5999 6000 403198 4 API calls 5998->6000 5999->5998 6001 406733 6000->6001 6002 406638 6001->6002 6003 406642 6002->6003 6004 406665 6002->6004 6230 406950 6003->6230 6006 40322c 4 API calls 6004->6006 6008 40666e 6006->6008 6007 406649 6007->6004 6009 406654 6007->6009 6008->5948 6010 403340 18 API calls 6009->6010 6011 406662 6010->6011 6011->5948 6013 403344 6012->6013 6016 4033a5 6012->6016 6014 4031e8 6013->6014 6015 40334c 6013->6015 6019 403254 18 API calls 6014->6019 6022 4031fc 6014->6022 6015->6016 6018 40335b 6015->6018 6020 4031e8 18 API calls 6015->6020 6017 403228 6017->5950 6021 403254 18 API calls 6018->6021 6019->6022 6020->6018 6024 403375 6021->6024 6022->6017 6023 4025ac 4 API calls 6022->6023 6023->6017 6025 4031e8 18 API calls 6024->6025 6026 4033a1 6025->6026 6026->5950 6028 408da8 18 API calls 6027->6028 6029 408df4 6028->6029 6029->5937 6031 405869 6030->6031 6032 405940 19 API calls 6031->6032 6033 40587b 6032->6033 6033->6033 6041 40955b 6034->6041 6035 409590 6037 40959d GetUserDefaultLangID 6035->6037 6042 409592 6035->6042 6036 409594 6046 407024 GetModuleHandleA GetProcAddress 6036->6046 6037->6042 6040 40956f 6040->5964 6041->6035 6041->6036 6041->6040 6042->6040 6043 4095cb GetACP 6042->6043 6044 4095ef 6042->6044 6043->6040 6043->6042 6044->6040 6045 409615 GetACP 6044->6045 6045->6040 6045->6044 6047 407067 6046->6047 6048 40705e 6046->6048 6049 407070 6047->6049 6050 4070a8 6047->6050 6057 403198 4 API calls 6048->6057 6067 406f68 6049->6067 6051 406f68 RegOpenKeyExA 6050->6051 6055 4070c1 6051->6055 6053 407089 6054 4070de 6053->6054 6070 406f5c 6053->6070 6059 40322c 4 API calls 6054->6059 6055->6054 6058 406f5c 20 API calls 6055->6058 6061 407120 6057->6061 6062 4070d5 RegCloseKey 6058->6062 6063 4070eb 6059->6063 6064 403198 4 API calls 6061->6064 6062->6054 6065 4032fc 18 API calls 6063->6065 6066 407128 6064->6066 6065->6048 6066->6042 6068 406f73 6067->6068 6069 406f79 RegOpenKeyExA 6067->6069 6068->6069 6069->6053 6073 406e10 6070->6073 6074 406e36 RegQueryValueExA 6073->6074 6075 406e59 6074->6075 6080 406e7b 6074->6080 6076 406e73 6075->6076 6075->6080 6081 403278 18 API calls 6075->6081 6082 403420 18 API calls 6075->6082 6078 403198 4 API calls 6076->6078 6077 403198 4 API calls 6079 406f47 RegCloseKey 6077->6079 6078->6080 6079->6054 6080->6077 6081->6075 6083 406eb0 RegQueryValueExA 6082->6083 6083->6074 6084 406ecc 6083->6084 6084->6080 6085 4034f0 18 API calls 6084->6085 6086 406f0e 6085->6086 6087 406f20 6086->6087 6089 403420 18 API calls 6086->6089 6088 4031e8 18 API calls 6087->6088 6088->6080 6089->6087 6132 406a58 6090->6132 6094 406a58 19 API calls 6096 406d36 6094->6096 6095 406d26 6095->6094 6097 406d72 6095->6097 6098 406d42 6096->6098 6100 406a34 21 API calls 6096->6100 6140 406888 6097->6140 6098->6097 6101 406d67 6098->6101 6104 406a58 19 API calls 6098->6104 6100->6098 6101->6097 6152 406cc8 GetWindowsDirectoryA 6101->6152 6106 406d5b 6104->6106 6105 406638 19 API calls 6107 406d87 6105->6107 6106->6101 6108 406a34 21 API calls 6106->6108 6109 40322c 4 API calls 6107->6109 6108->6101 6110 406d91 6109->6110 6111 4031b8 4 API calls 6110->6111 6112 406dab 6111->6112 6112->5976 6114 409244 6113->6114 6115 406638 19 API calls 6114->6115 6116 40925d 6115->6116 6117 40322c 4 API calls 6116->6117 6124 409268 6117->6124 6119 406978 20 API calls 6119->6124 6120 408dd8 18 API calls 6120->6124 6121 4033b4 18 API calls 6121->6124 6122 405890 18 API calls 6122->6124 6124->6119 6124->6120 6124->6121 6124->6122 6125 4092e4 6124->6125 6192 4091b0 6124->6192 6200 409034 6124->6200 6126 40322c 4 API calls 6125->6126 6127 4092ef 6126->6127 6128 4031b8 4 API calls 6127->6128 6129 409309 6128->6129 6130 403198 4 API calls 6129->6130 6131 409311 6130->6131 6131->5976 6133 4034f0 18 API calls 6132->6133 6135 406a6b 6133->6135 6134 406a82 GetEnvironmentVariableA 6134->6135 6136 406a8e 6134->6136 6135->6134 6139 406a95 6135->6139 6154 406dec 6135->6154 6137 403198 4 API calls 6136->6137 6137->6139 6139->6095 6149 406a34 6139->6149 6141 403414 6140->6141 6142 4068ab GetFullPathNameA 6141->6142 6143 4068b7 6142->6143 6144 4068ce 6142->6144 6143->6144 6145 4068bf 6143->6145 6146 40322c 4 API calls 6144->6146 6147 403278 18 API calls 6145->6147 6148 4068cc 6146->6148 6147->6148 6148->6105 6158 4069dc 6149->6158 6153 406ce9 6152->6153 6153->6097 6155 406dfa 6154->6155 6156 4034f0 18 API calls 6155->6156 6157 406e08 6156->6157 6157->6135 6165 406978 6158->6165 6160 4069fe 6161 406a06 GetFileAttributesA 6160->6161 6162 406a1b 6161->6162 6163 403198 4 API calls 6162->6163 6164 406a23 6163->6164 6164->6095 6175 406744 6165->6175 6167 4069b0 6170 4069c6 6167->6170 6171 4069bb 6167->6171 6169 406989 6169->6167 6182 406970 CharPrevA 6169->6182 6183 403454 6170->6183 6172 40322c 4 API calls 6171->6172 6174 4069c4 6172->6174 6174->6160 6179 406755 6175->6179 6176 4067b9 6177 406680 IsDBCSLeadByte 6176->6177 6178 4067b4 6176->6178 6177->6178 6178->6169 6179->6176 6181 406773 6179->6181 6181->6178 6190 406680 IsDBCSLeadByte 6181->6190 6182->6169 6184 403486 6183->6184 6185 403459 6183->6185 6186 403198 4 API calls 6184->6186 6185->6184 6188 40346d 6185->6188 6187 40347c 6186->6187 6187->6174 6189 403278 18 API calls 6188->6189 6189->6187 6191 406694 6190->6191 6191->6181 6193 403198 4 API calls 6192->6193 6195 4091d1 6193->6195 6197 4091fe 6195->6197 6209 4032a8 6195->6209 6212 403494 6195->6212 6198 403198 4 API calls 6197->6198 6199 409213 6198->6199 6199->6124 6201 408f70 2 API calls 6200->6201 6202 40904a 6201->6202 6203 40904e 6202->6203 6216 406a48 6202->6216 6203->6124 6206 409081 6207 408fac Wow64RevertWow64FsRedirection 6206->6207 6208 409089 6207->6208 6208->6124 6210 403278 18 API calls 6209->6210 6211 4032b5 6210->6211 6211->6195 6213 403498 6212->6213 6215 4034c3 6212->6215 6214 4034f0 18 API calls 6213->6214 6214->6215 6215->6195 6217 4069dc 21 API calls 6216->6217 6218 406a52 GetLastError 6217->6218 6218->6206 6220 406744 IsDBCSLeadByte 6219->6220 6222 406835 6220->6222 6221 40687f 6221->5988 6222->6221 6223 406680 IsDBCSLeadByte 6222->6223 6223->6222 6225 4068f3 6224->6225 6226 406820 IsDBCSLeadByte 6225->6226 6228 4068fe 6226->6228 6227 4066ea 6227->5993 6227->5994 6228->6227 6229 406680 IsDBCSLeadByte 6228->6229 6229->6228 6231 406957 6230->6231 6232 40695b 6230->6232 6231->6007 6235 406970 CharPrevA 6232->6235 6234 40696c 6234->6007 6235->6234 6810 408f30 6813 408dfc 6810->6813 6814 408e05 6813->6814 6815 403198 4 API calls 6814->6815 6816 408e13 6814->6816 6815->6814 6817 403932 6818 403924 6817->6818 6819 40374c VariantClear 6818->6819 6820 40392c 6819->6820 5380 4075c4 SetFilePointer 5381 4075f7 5380->5381 5382 4075e7 GetLastError 5380->5382 5382->5381 5383 4075f0 5382->5383 5385 40748c GetLastError 5383->5385 5388 4073ec 5385->5388 5389 407284 19 API calls 5388->5389 5390 407414 5389->5390 5391 407434 5390->5391 5392 405194 33 API calls 5390->5392 5393 405890 18 API calls 5391->5393 5392->5391 5394 407443 5393->5394 5395 403198 4 API calls 5394->5395 5396 407460 5395->5396 5396->5381 6411 4076c8 WriteFile 6412 4076e8 6411->6412 6413 4076ef 6411->6413 6414 40748c 35 API calls 6412->6414 6415 407700 6413->6415 6416 4073ec 34 API calls 6413->6416 6414->6413 6416->6415 6417 402ccc 6420 402cfe 6417->6420 6421 402cdd 6417->6421 6418 402d88 RtlUnwind 6419 403154 4 API calls 6418->6419 6419->6420 6421->6418 6421->6420 6422 402b28 RaiseException 6421->6422 6423 402d7f 6422->6423 6423->6418 6829 403fcd 6830 403f07 4 API calls 6829->6830 6831 403fd6 6830->6831 6832 403e9c 4 API calls 6831->6832 6833 403fe2 6832->6833 6430 4024d0 6431 4024e4 6430->6431 6432 4024e9 6430->6432 6435 401918 4 API calls 6431->6435 6433 402518 6432->6433 6434 40250e RtlEnterCriticalSection 6432->6434 6437 4024ed 6432->6437 6445 402300 6433->6445 6434->6433 6435->6432 6438 402525 6441 402581 6438->6441 6442 402577 RtlLeaveCriticalSection 6438->6442 6440 401fd4 14 API calls 6443 402531 6440->6443 6442->6441 6443->6438 6444 40215c 9 API calls 6443->6444 6444->6438 6446 402314 6445->6446 6448 4023b8 6446->6448 6450 402335 6446->6450 6447 402344 6447->6438 6447->6440 6448->6447 6449 401d80 9 API calls 6448->6449 6453 402455 6448->6453 6455 401e84 6448->6455 6449->6448 6450->6447 6452 401b74 9 API calls 6450->6452 6452->6447 6453->6447 6454 401d00 9 API calls 6453->6454 6454->6447 6460 401768 6455->6460 6457 401e99 6458 401ea6 6457->6458 6459 401dcc 9 API calls 6457->6459 6458->6448 6459->6458 6461 401787 6460->6461 6462 40183b 6461->6462 6463 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6461->6463 6465 40132c LocalAlloc 6461->6465 6466 401821 6461->6466 6468 4017d6 6461->6468 6464 4015c4 VirtualAlloc 6462->6464 6469 4017e7 6462->6469 6463->6461 6464->6469 6465->6461 6467 40150c VirtualFree 6466->6467 6467->6469 6470 40150c VirtualFree 6468->6470 6469->6457 6470->6469 6471 4028d2 6472 4028da 6471->6472 6473 403554 4 API calls 6472->6473 6474 4028ef 6472->6474 6473->6472 6475 4025ac 4 API calls 6474->6475 6476 4028f4 6475->6476 6834 4019d3 6835 4019ba 6834->6835 6836 4019c3 RtlLeaveCriticalSection 6835->6836 6837 4019cd 6835->6837 6836->6837 5397 407fd4 5398 407fe6 5397->5398 5400 407fed 5397->5400 5408 407f10 5398->5408 5402 408017 5400->5402 5404 408015 5400->5404 5407 408021 5400->5407 5401 40804e 5419 407d7c 5402->5419 5403 407d7c 33 API calls 5403->5401 5422 407e2c 5404->5422 5407->5401 5407->5403 5409 407f25 5408->5409 5410 407d7c 33 API calls 5409->5410 5411 407f34 5409->5411 5410->5411 5412 407f6e 5411->5412 5413 407d7c 33 API calls 5411->5413 5414 407f82 5412->5414 5415 407d7c 33 API calls 5412->5415 5413->5412 5418 407fae 5414->5418 5429 407eb8 5414->5429 5415->5414 5418->5400 5432 4058c4 5419->5432 5421 407d9e 5421->5407 5423 405194 33 API calls 5422->5423 5424 407e57 5423->5424 5440 407de4 5424->5440 5426 407e5f 5427 403198 4 API calls 5426->5427 5428 407e74 5427->5428 5428->5407 5430 407ec7 VirtualFree 5429->5430 5431 407ed9 VirtualAlloc 5429->5431 5430->5431 5431->5418 5434 4058d0 5432->5434 5433 405194 33 API calls 5435 4058fd 5433->5435 5434->5433 5436 4031e8 18 API calls 5435->5436 5437 405908 5436->5437 5438 403198 4 API calls 5437->5438 5439 40591d 5438->5439 5439->5421 5441 4058c4 33 API calls 5440->5441 5442 407e06 5441->5442 5442->5426 6477 405ad4 6478 405adc 6477->6478 6480 405ae4 6477->6480 6479 405aeb 6478->6479 6481 405ae2 6478->6481 6482 405940 19 API calls 6479->6482 6484 405a4c 6481->6484 6482->6480 6485 405a54 6484->6485 6486 405a6e 6485->6486 6487 403154 4 API calls 6485->6487 6488 405a73 6486->6488 6489 405a8a 6486->6489 6487->6485 6491 405940 19 API calls 6488->6491 6490 403154 4 API calls 6489->6490 6493 405a8f 6490->6493 6492 405a86 6491->6492 6495 403154 4 API calls 6492->6495 6494 4059b0 33 API calls 6493->6494 6494->6492 6496 405ab8 6495->6496 6497 403154 4 API calls 6496->6497 6498 405ac6 6497->6498 6498->6480 5910 40a9de 5911 40aa03 5910->5911 5912 407918 InterlockedExchange 5911->5912 5913 40aa2d 5912->5913 5914 409ae8 18 API calls 5913->5914 5915 40aa3d 5913->5915 5914->5915 5920 4076ac SetEndOfFile 5915->5920 5917 40aa59 5918 4025ac 4 API calls 5917->5918 5919 40aa90 5918->5919 5921 4076c3 5920->5921 5922 4076bc 5920->5922 5921->5917 5923 40748c 35 API calls 5922->5923 5923->5921 6841 402be9 RaiseException 6842 402c04 6841->6842 6509 402af2 6510 402afe 6509->6510 6513 402ed0 6510->6513 6514 403154 4 API calls 6513->6514 6516 402ee0 6514->6516 6515 402b03 6516->6515 6518 402b0c 6516->6518 6519 402b25 6518->6519 6520 402b15 RaiseException 6518->6520 6519->6515 6520->6519 5448 40a5f8 5491 4030dc 5448->5491 5450 40a60e 5494 4042e8 5450->5494 5452 40a613 5497 40457c GetModuleHandleA GetProcAddress 5452->5497 5456 40a61d 5505 4065c8 5456->5505 5458 40a622 5514 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5458->5514 5468 40a665 5536 406c2c 5468->5536 5469 4031e8 18 API calls 5470 40a683 5469->5470 5550 4074e0 5470->5550 5476 407918 InterlockedExchange 5479 40a6d2 5476->5479 5477 40a710 5570 4074a0 5477->5570 5479->5477 5607 409ae8 5479->5607 5480 40a751 5574 407a28 5480->5574 5481 40a736 5481->5480 5482 409ae8 18 API calls 5481->5482 5482->5480 5484 40a776 5584 408b08 5484->5584 5488 40a7bc 5489 408b08 35 API calls 5488->5489 5490 40a7f5 5488->5490 5489->5488 5617 403094 5491->5617 5493 4030e1 GetModuleHandleA GetCommandLineA 5493->5450 5495 403154 4 API calls 5494->5495 5496 404323 5494->5496 5495->5496 5496->5452 5498 404598 5497->5498 5499 40459f GetProcAddress 5497->5499 5498->5499 5500 4045b5 GetProcAddress 5499->5500 5501 4045ae 5499->5501 5502 4045c4 SetProcessDEPPolicy 5500->5502 5503 4045c8 5500->5503 5501->5500 5502->5503 5504 404624 6FB81CD0 5503->5504 5504->5456 5618 405ca8 5505->5618 5515 4090f7 5514->5515 5702 406fa0 SetErrorMode 5515->5702 5518 407284 19 API calls 5519 409127 5518->5519 5520 403198 4 API calls 5519->5520 5521 40913c 5520->5521 5522 409b78 GetSystemInfo VirtualQuery 5521->5522 5523 409c2c 5522->5523 5526 409ba2 5522->5526 5528 409768 5523->5528 5524 409c0d VirtualQuery 5524->5523 5524->5526 5525 409bcc VirtualProtect 5525->5526 5526->5523 5526->5524 5526->5525 5527 409bfb VirtualProtect 5526->5527 5527->5524 5708 406bd0 GetCommandLineA 5528->5708 5530 409785 5531 409850 5530->5531 5532 406c2c 20 API calls 5530->5532 5535 403454 18 API calls 5530->5535 5533 4031b8 4 API calls 5531->5533 5532->5530 5534 40986a 5533->5534 5534->5468 5600 409c88 5534->5600 5535->5530 5537 406c53 GetModuleFileNameA 5536->5537 5538 406c77 GetCommandLineA 5536->5538 5539 403278 18 API calls 5537->5539 5546 406c7c 5538->5546 5540 406c75 5539->5540 5544 406ca4 5540->5544 5541 406c81 5542 403198 4 API calls 5541->5542 5545 406c89 5542->5545 5543 406af0 18 API calls 5543->5546 5547 403198 4 API calls 5544->5547 5548 40322c 4 API calls 5545->5548 5546->5541 5546->5543 5546->5545 5549 406cb9 5547->5549 5548->5544 5549->5469 5551 4074ea 5550->5551 5715 407576 5551->5715 5718 407578 5551->5718 5552 407516 5553 40752a 5552->5553 5554 40748c 35 API calls 5552->5554 5557 409c34 FindResourceA 5553->5557 5554->5553 5558 409c49 5557->5558 5559 409c4e SizeofResource 5557->5559 5560 409ae8 18 API calls 5558->5560 5561 409c60 LoadResource 5559->5561 5562 409c5b 5559->5562 5560->5559 5564 409c73 LockResource 5561->5564 5565 409c6e 5561->5565 5563 409ae8 18 API calls 5562->5563 5563->5561 5567 409c84 5564->5567 5568 409c7f 5564->5568 5566 409ae8 18 API calls 5565->5566 5566->5564 5567->5476 5567->5479 5569 409ae8 18 API calls 5568->5569 5569->5567 5571 4074b4 5570->5571 5572 4074c4 5571->5572 5573 4073ec 34 API calls 5571->5573 5572->5481 5573->5572 5575 407a35 5574->5575 5576 405890 18 API calls 5575->5576 5577 407a89 5575->5577 5576->5577 5578 407918 InterlockedExchange 5577->5578 5579 407a9b 5578->5579 5580 405890 18 API calls 5579->5580 5581 407ab1 5579->5581 5580->5581 5582 405890 18 API calls 5581->5582 5583 407af4 5581->5583 5582->5583 5583->5484 5596 408b39 5584->5596 5598 408b82 5584->5598 5585 408bcd 5721 407cb8 5585->5721 5586 407cb8 35 API calls 5586->5596 5588 408be4 5591 4031b8 4 API calls 5588->5591 5589 4034f0 18 API calls 5589->5596 5590 4034f0 18 API calls 5590->5598 5593 408bfe 5591->5593 5592 4031e8 18 API calls 5592->5596 5614 404c20 5593->5614 5594 403420 18 API calls 5594->5596 5595 4031e8 18 API calls 5595->5598 5596->5586 5596->5589 5596->5592 5596->5594 5596->5598 5597 403420 18 API calls 5597->5598 5598->5585 5598->5590 5598->5595 5598->5597 5599 407cb8 35 API calls 5598->5599 5599->5598 5601 40322c 4 API calls 5600->5601 5602 409cab 5601->5602 5603 409cba MessageBoxA 5602->5603 5604 409ccf 5603->5604 5605 403198 4 API calls 5604->5605 5606 409cd7 5605->5606 5606->5468 5608 409af1 5607->5608 5609 409b09 5607->5609 5610 405890 18 API calls 5608->5610 5611 405890 18 API calls 5609->5611 5612 409b03 5610->5612 5613 409b1a 5611->5613 5612->5477 5613->5477 5743 402594 5614->5743 5616 404c2b 5616->5488 5617->5493 5619 405940 19 API calls 5618->5619 5620 405cb9 5619->5620 5621 405280 GetSystemDefaultLCID 5620->5621 5624 4052b6 5621->5624 5622 4031e8 18 API calls 5622->5624 5623 404cdc 19 API calls 5623->5624 5624->5622 5624->5623 5625 40520c 19 API calls 5624->5625 5626 405318 5624->5626 5625->5624 5627 404cdc 19 API calls 5626->5627 5628 40520c 19 API calls 5626->5628 5629 4031e8 18 API calls 5626->5629 5630 40539b 5626->5630 5627->5626 5628->5626 5629->5626 5631 4031b8 4 API calls 5630->5631 5632 4053b5 5631->5632 5633 4053c4 GetSystemDefaultLCID 5632->5633 5690 40520c GetLocaleInfoA 5633->5690 5636 4031e8 18 API calls 5637 405404 5636->5637 5638 40520c 19 API calls 5637->5638 5639 405419 5638->5639 5640 40520c 19 API calls 5639->5640 5641 40543d 5640->5641 5696 405258 GetLocaleInfoA 5641->5696 5644 405258 GetLocaleInfoA 5645 40546d 5644->5645 5646 40520c 19 API calls 5645->5646 5647 405487 5646->5647 5648 405258 GetLocaleInfoA 5647->5648 5649 4054a4 5648->5649 5650 40520c 19 API calls 5649->5650 5651 4054be 5650->5651 5652 4031e8 18 API calls 5651->5652 5653 4054cb 5652->5653 5654 40520c 19 API calls 5653->5654 5655 4054e0 5654->5655 5656 4031e8 18 API calls 5655->5656 5657 4054ed 5656->5657 5658 405258 GetLocaleInfoA 5657->5658 5659 4054fb 5658->5659 5660 40520c 19 API calls 5659->5660 5661 405515 5660->5661 5662 4031e8 18 API calls 5661->5662 5663 405522 5662->5663 5664 40520c 19 API calls 5663->5664 5665 405537 5664->5665 5666 4031e8 18 API calls 5665->5666 5667 405544 5666->5667 5668 40520c 19 API calls 5667->5668 5669 405559 5668->5669 5670 405576 5669->5670 5671 405567 5669->5671 5673 40322c 4 API calls 5670->5673 5698 40322c 5671->5698 5674 405574 5673->5674 5675 40520c 19 API calls 5674->5675 5676 405598 5675->5676 5677 4055b5 5676->5677 5678 4055a6 5676->5678 5679 403198 4 API calls 5677->5679 5680 40322c 4 API calls 5678->5680 5681 4055b3 5679->5681 5680->5681 5682 4033b4 18 API calls 5681->5682 5683 4055d7 5682->5683 5684 4033b4 18 API calls 5683->5684 5685 4055f1 5684->5685 5686 4031b8 4 API calls 5685->5686 5687 40560b 5686->5687 5688 405cf4 GetVersionExA 5687->5688 5689 405d0b 5688->5689 5689->5458 5691 405233 5690->5691 5692 405245 5690->5692 5693 403278 18 API calls 5691->5693 5694 40322c 4 API calls 5692->5694 5695 405243 5693->5695 5694->5695 5695->5636 5697 405274 5696->5697 5697->5644 5700 403230 5698->5700 5699 403252 5699->5674 5700->5699 5701 4025ac 4 API calls 5700->5701 5701->5699 5706 403414 5702->5706 5705 406fee 5705->5518 5707 403418 LoadLibraryA 5706->5707 5707->5705 5709 406af0 18 API calls 5708->5709 5710 406bf3 5709->5710 5711 406c05 5710->5711 5712 406af0 18 API calls 5710->5712 5713 403198 4 API calls 5711->5713 5712->5710 5714 406c1a 5713->5714 5714->5530 5716 407578 5715->5716 5717 4075b7 CreateFileA 5716->5717 5717->5552 5719 403414 5718->5719 5720 4075b7 CreateFileA 5719->5720 5720->5552 5722 407cd3 5721->5722 5724 407cc8 5721->5724 5727 407c5c 5722->5727 5724->5588 5726 405890 18 API calls 5726->5724 5728 407c70 5727->5728 5729 407caf 5727->5729 5728->5729 5731 407bac 5728->5731 5729->5724 5729->5726 5732 407bb7 5731->5732 5736 407bc8 5731->5736 5734 405890 18 API calls 5732->5734 5733 4074a0 34 API calls 5735 407bdc 5733->5735 5734->5736 5737 4074a0 34 API calls 5735->5737 5736->5733 5738 407bfd 5737->5738 5739 407918 InterlockedExchange 5738->5739 5740 407c12 5739->5740 5741 407c28 5740->5741 5742 405890 18 API calls 5740->5742 5741->5728 5742->5741 5744 402598 5743->5744 5746 4025a2 5743->5746 5749 401fd4 5744->5749 5745 40259e 5745->5746 5747 403154 4 API calls 5745->5747 5746->5616 5746->5746 5747->5746 5750 401fe8 5749->5750 5751 401fed 5749->5751 5760 401918 RtlInitializeCriticalSection 5750->5760 5753 402012 RtlEnterCriticalSection 5751->5753 5754 40201c 5751->5754 5759 401ff1 5751->5759 5753->5754 5754->5759 5767 401ee0 5754->5767 5757 402147 5757->5745 5758 40213d RtlLeaveCriticalSection 5758->5757 5759->5745 5761 40193c RtlEnterCriticalSection 5760->5761 5762 401946 5760->5762 5761->5762 5763 401964 LocalAlloc 5762->5763 5764 40197e 5763->5764 5765 4019c3 RtlLeaveCriticalSection 5764->5765 5766 4019cd 5764->5766 5765->5766 5766->5751 5770 401ef0 5767->5770 5768 401f1c 5772 401f40 5768->5772 5778 401d00 5768->5778 5770->5768 5770->5772 5773 401e58 5770->5773 5772->5757 5772->5758 5782 4016d8 5773->5782 5776 401e75 5776->5770 5779 401d4e 5778->5779 5780 401d1e 5778->5780 5779->5780 5851 401c68 5779->5851 5780->5772 5785 4016f4 5782->5785 5784 4016fe 5807 4015c4 5784->5807 5785->5784 5787 40175b 5785->5787 5789 40174f 5785->5789 5799 401430 5785->5799 5811 40132c 5785->5811 5787->5776 5792 401dcc 5787->5792 5815 40150c 5789->5815 5790 40170a 5790->5787 5825 401d80 5792->5825 5795 40132c LocalAlloc 5796 401df0 5795->5796 5798 401df8 5796->5798 5829 401b44 5796->5829 5798->5776 5800 40143f VirtualAlloc 5799->5800 5802 40146c 5800->5802 5803 40148f 5800->5803 5819 4012e4 5802->5819 5803->5785 5806 40147c VirtualFree 5806->5803 5809 40160a 5807->5809 5808 40163a 5808->5790 5809->5808 5810 401626 VirtualAlloc 5809->5810 5810->5808 5810->5809 5812 401348 5811->5812 5813 4012e4 LocalAlloc 5812->5813 5814 40138f 5813->5814 5814->5785 5818 40153b 5815->5818 5816 401594 5816->5787 5817 401568 VirtualFree 5817->5818 5818->5816 5818->5817 5822 40128c 5819->5822 5823 401298 LocalAlloc 5822->5823 5824 4012aa 5822->5824 5823->5824 5824->5803 5824->5806 5826 401d89 5825->5826 5828 401d92 5825->5828 5826->5828 5834 401b74 5826->5834 5828->5795 5830 401b61 5829->5830 5831 401b52 5829->5831 5830->5798 5832 401d00 9 API calls 5831->5832 5833 401b5f 5832->5833 5833->5798 5837 40215c 5834->5837 5836 401b95 5836->5828 5838 40217a 5837->5838 5839 402175 5837->5839 5841 4021ab RtlEnterCriticalSection 5838->5841 5842 40217e 5838->5842 5849 4021b5 5838->5849 5840 401918 4 API calls 5839->5840 5840->5838 5841->5849 5842->5836 5843 4021c1 5845 4022e3 RtlLeaveCriticalSection 5843->5845 5846 4022ed 5843->5846 5844 402244 5844->5842 5847 401d80 7 API calls 5844->5847 5845->5846 5846->5836 5847->5842 5848 402270 5848->5843 5850 401d00 7 API calls 5848->5850 5849->5843 5849->5844 5849->5848 5850->5843 5852 401c7a 5851->5852 5853 401c9d 5852->5853 5854 401caf 5852->5854 5864 40188c 5853->5864 5856 40188c 3 API calls 5854->5856 5857 401cad 5856->5857 5858 401b44 9 API calls 5857->5858 5863 401cc5 5857->5863 5859 401cd4 5858->5859 5860 401cee 5859->5860 5874 401b98 5859->5874 5879 4013a0 5860->5879 5863->5780 5865 4018b2 5864->5865 5873 40190b 5864->5873 5883 401658 5865->5883 5868 40132c LocalAlloc 5869 4018cf 5868->5869 5870 40150c VirtualFree 5869->5870 5871 4018e6 5869->5871 5870->5871 5872 4013a0 LocalAlloc 5871->5872 5871->5873 5872->5873 5873->5857 5875 401bab 5874->5875 5876 401b9d 5874->5876 5875->5860 5877 401b74 9 API calls 5876->5877 5878 401baa 5877->5878 5878->5860 5881 4013ab 5879->5881 5880 4013c6 5880->5863 5881->5880 5882 4012e4 LocalAlloc 5881->5882 5882->5880 5885 40168f 5883->5885 5884 4016cf 5884->5868 5885->5884 5886 4016a9 VirtualFree 5885->5886 5886->5885 6843 402dfa 6844 402e26 6843->6844 6845 402e0d 6843->6845 6847 402ba4 6845->6847 6848 402bc9 6847->6848 6849 402bad 6847->6849 6848->6844 6850 402bb5 RaiseException 6849->6850 6850->6848 6851 4075fa GetFileSize 6852 407626 6851->6852 6853 407616 GetLastError 6851->6853 6853->6852 6854 40761f 6853->6854 6855 40748c 35 API calls 6854->6855 6855->6852 6856 406ffb 6857 407008 SetErrorMode 6856->6857 6525 403a80 CloseHandle 6526 403a90 6525->6526 6527 403a91 GetLastError 6525->6527 6528 404283 6529 4042c3 6528->6529 6530 403154 4 API calls 6529->6530 6531 404323 6530->6531 6858 404185 6859 4041ff 6858->6859 6860 4041cc 6859->6860 6861 403154 4 API calls 6859->6861 6862 404323 6861->6862 6532 403e87 6533 403e4c 6532->6533 6534 403e62 6533->6534 6535 403e7b 6533->6535 6538 403e67 6533->6538 6541 403cc8 6534->6541 6537 402674 4 API calls 6535->6537 6539 403e78 6537->6539 6538->6539 6545 402674 6538->6545 6542 403cd6 6541->6542 6543 402674 4 API calls 6542->6543 6544 403ceb 6542->6544 6543->6544 6544->6538 6546 403154 4 API calls 6545->6546 6547 40267a 6546->6547 6547->6539 6556 407e90 6557 407eb8 VirtualFree 6556->6557 6558 407e9d 6557->6558 6561 403e95 6562 403e4c 6561->6562 6563 403e67 6562->6563 6564 403e62 6562->6564 6565 403e7b 6562->6565 6568 403e78 6563->6568 6569 402674 4 API calls 6563->6569 6566 403cc8 4 API calls 6564->6566 6567 402674 4 API calls 6565->6567 6566->6563 6567->6568 6569->6568 6570 40ac97 6579 4096fc 6570->6579 6573 402f24 5 API calls 6574 40aca1 6573->6574 6575 403198 4 API calls 6574->6575 6576 40acc0 6575->6576 6577 403198 4 API calls 6576->6577 6578 40acc8 6577->6578 6588 4056ac 6579->6588 6581 409717 6582 409745 6581->6582 6594 40720c 6581->6594 6585 403198 4 API calls 6582->6585 6584 409735 6587 40973d MessageBoxA 6584->6587 6586 40975a 6585->6586 6586->6573 6586->6574 6587->6582 6589 403154 4 API calls 6588->6589 6590 4056b1 6589->6590 6591 4056c9 6590->6591 6592 403154 4 API calls 6590->6592 6591->6581 6593 4056bf 6592->6593 6593->6581 6595 4056ac 4 API calls 6594->6595 6596 40721b 6595->6596 6597 407221 6596->6597 6598 40722f 6596->6598 6599 40322c 4 API calls 6597->6599 6600 40724b 6598->6600 6601 40723f 6598->6601 6603 40722d 6599->6603 6612 4032b8 6600->6612 6605 4071d0 6601->6605 6603->6584 6606 40322c 4 API calls 6605->6606 6607 4071df 6606->6607 6608 4071fc 6607->6608 6609 406950 CharPrevA 6607->6609 6608->6603 6610 4071eb 6609->6610 6610->6608 6611 4032fc 18 API calls 6610->6611 6611->6608 6613 403278 18 API calls 6612->6613 6614 4032c2 6613->6614 6614->6603 6615 403a97 6616 403aac 6615->6616 6617 403bbc GetStdHandle 6616->6617 6618 403b0e CreateFileA 6616->6618 6626 403ab2 6616->6626 6619 403c17 GetLastError 6617->6619 6632 403bba 6617->6632 6618->6619 6620 403b2c 6618->6620 6619->6626 6622 403b3b GetFileSize 6620->6622 6620->6632 6622->6619 6623 403b4e SetFilePointer 6622->6623 6623->6619 6628 403b6a ReadFile 6623->6628 6624 403be7 GetFileType 6625 403c02 CloseHandle 6624->6625 6624->6626 6625->6626 6628->6619 6629 403b8c 6628->6629 6630 403b9f SetFilePointer 6629->6630 6629->6632 6630->6619 6631 403bb0 SetEndOfFile 6630->6631 6631->6619 6631->6632 6632->6624 6632->6626 6637 40aaa2 6638 40aad2 6637->6638 6639 40aadc CreateWindowExA SetWindowLongA 6638->6639 6640 405194 33 API calls 6639->6640 6641 40ab5f 6640->6641 6642 4032fc 18 API calls 6641->6642 6643 40ab6d 6642->6643 6644 4032fc 18 API calls 6643->6644 6645 40ab7a 6644->6645 6646 406b7c 19 API calls 6645->6646 6647 40ab86 6646->6647 6648 4032fc 18 API calls 6647->6648 6649 40ab8f 6648->6649 6650 4099ec 43 API calls 6649->6650 6651 40aba1 6650->6651 6652 4098cc 19 API calls 6651->6652 6653 40abb4 6651->6653 6652->6653 6654 40abed 6653->6654 6655 4094d8 9 API calls 6653->6655 6656 40ac06 6654->6656 6659 40ac00 RemoveDirectoryA 6654->6659 6655->6654 6657 40ac1a 6656->6657 6658 40ac0f DestroyWindow 6656->6658 6660 40ac42 6657->6660 6661 40357c 4 API calls 6657->6661 6658->6657 6659->6656 6662 40ac38 6661->6662 6663 4025ac 4 API calls 6662->6663 6663->6660 6875 405ba2 6877 405ba4 6875->6877 6876 405be0 6880 405940 19 API calls 6876->6880 6877->6876 6878 405bf7 6877->6878 6879 405bda 6877->6879 6884 404cdc 19 API calls 6878->6884 6879->6876 6881 405c4c 6879->6881 6882 405bf3 6880->6882 6883 4059b0 33 API calls 6881->6883 6885 403198 4 API calls 6882->6885 6883->6882 6886 405c20 6884->6886 6887 405c86 6885->6887 6888 4059b0 33 API calls 6886->6888 6888->6882 6889 408da4 6890 408dc8 6889->6890 6891 408c80 18 API calls 6890->6891 6892 408dd1 6891->6892 6664 402caa 6665 403154 4 API calls 6664->6665 6666 402caf 6665->6666 6907 4011aa 6908 4011ac GetStdHandle 6907->6908 6667 4028ac 6668 402594 18 API calls 6667->6668 6669 4028b6 6668->6669 4979 40aab4 4980 40aab8 SetLastError 4979->4980 5011 409648 GetLastError 4980->5011 4983 40aad2 4985 40aadc CreateWindowExA SetWindowLongA 4983->4985 5024 405194 4985->5024 4989 40ab6d 4990 4032fc 18 API calls 4989->4990 4991 40ab7a 4990->4991 5041 406b7c GetCommandLineA 4991->5041 4994 4032fc 18 API calls 4995 40ab8f 4994->4995 5046 4099ec 4995->5046 4997 40aba1 4999 40abb4 4997->4999 5067 4098cc 4997->5067 5000 40abd4 4999->5000 5001 40abed 4999->5001 5073 4094d8 5000->5073 5003 40ac06 5001->5003 5006 40ac00 RemoveDirectoryA 5001->5006 5004 40ac1a 5003->5004 5005 40ac0f DestroyWindow 5003->5005 5007 40ac42 5004->5007 5081 40357c 5004->5081 5005->5004 5006->5003 5009 40ac38 5094 4025ac 5009->5094 5098 404c94 5011->5098 5019 4096c3 5113 4031b8 5019->5113 5025 4051a8 33 API calls 5024->5025 5026 4051a3 5025->5026 5027 4032fc 5026->5027 5028 403300 5027->5028 5029 40333f 5027->5029 5030 4031e8 5028->5030 5031 40330a 5028->5031 5029->4989 5037 403254 18 API calls 5030->5037 5038 4031fc 5030->5038 5032 403334 5031->5032 5033 40331d 5031->5033 5034 4034f0 18 API calls 5032->5034 5274 4034f0 5033->5274 5040 403322 5034->5040 5035 403228 5035->4989 5037->5038 5038->5035 5039 4025ac 4 API calls 5038->5039 5039->5035 5040->4989 5300 406af0 5041->5300 5043 406ba1 5044 403198 4 API calls 5043->5044 5045 406bbf 5044->5045 5045->4994 5314 4033b4 5046->5314 5048 409a27 5049 409a59 CreateProcessA 5048->5049 5050 409a65 5049->5050 5051 409a6c CloseHandle 5049->5051 5052 409648 35 API calls 5050->5052 5053 409a75 5051->5053 5052->5051 5054 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5053->5054 5055 409a7a MsgWaitForMultipleObjects 5054->5055 5055->5053 5056 409a91 5055->5056 5057 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5056->5057 5058 409a96 GetExitCodeProcess CloseHandle 5057->5058 5059 409ab6 5058->5059 5060 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5059->5060 5061 409abe 5060->5061 5061->4997 5062 402f24 5063 403154 4 API calls 5062->5063 5064 402f29 5063->5064 5320 402bcc 5064->5320 5066 402f51 5066->5066 5068 40990e 5067->5068 5069 4098d4 5067->5069 5068->4999 5069->5068 5070 403420 18 API calls 5069->5070 5071 409908 5070->5071 5323 408e80 5071->5323 5074 409532 5073->5074 5078 4094eb 5073->5078 5074->5001 5075 4094f3 Sleep 5075->5078 5076 409503 Sleep 5076->5078 5078->5074 5078->5075 5078->5076 5079 40951a GetLastError 5078->5079 5346 408fbc 5078->5346 5079->5074 5080 409524 GetLastError 5079->5080 5080->5074 5080->5078 5084 403591 5081->5084 5090 4035a0 5081->5090 5082 4035b1 5085 403198 4 API calls 5082->5085 5083 4035b8 5086 4031b8 4 API calls 5083->5086 5087 4035d0 5084->5087 5088 40359b 5084->5088 5089 4035b6 5084->5089 5085->5089 5086->5089 5087->5089 5092 40357c 4 API calls 5087->5092 5088->5090 5091 4035ec 5088->5091 5089->5009 5090->5082 5090->5083 5091->5089 5363 403554 5091->5363 5092->5087 5095 4025b0 5094->5095 5096 4025ba 5094->5096 5095->5096 5097 403154 4 API calls 5095->5097 5096->5007 5096->5096 5097->5096 5121 4051a8 5098->5121 5101 407284 FormatMessageA 5102 4072aa 5101->5102 5103 403278 18 API calls 5102->5103 5104 4072c7 5103->5104 5105 408da8 5104->5105 5106 408dc8 5105->5106 5264 408c80 5106->5264 5109 405890 5110 405897 5109->5110 5111 4031e8 18 API calls 5110->5111 5112 4058af 5111->5112 5112->5019 5115 4031be 5113->5115 5114 4031e3 5117 403198 5114->5117 5115->5114 5116 4025ac 4 API calls 5115->5116 5116->5115 5118 4031b7 5117->5118 5119 40319e 5117->5119 5118->4983 5118->5062 5119->5118 5120 4025ac 4 API calls 5119->5120 5120->5118 5122 4051c5 5121->5122 5129 404e58 5122->5129 5125 4051f1 5134 403278 5125->5134 5132 404e73 5129->5132 5130 404e85 5130->5125 5139 404be4 5130->5139 5132->5130 5142 404f7a 5132->5142 5149 404e4c 5132->5149 5135 403254 18 API calls 5134->5135 5136 403288 5135->5136 5137 403198 4 API calls 5136->5137 5138 4032a0 5137->5138 5138->5101 5256 405940 5139->5256 5141 404bf5 5141->5125 5143 404f8b 5142->5143 5147 404fd9 5142->5147 5146 40505f 5143->5146 5143->5147 5145 404ff7 5145->5132 5146->5145 5156 404e38 5146->5156 5147->5145 5152 404df4 5147->5152 5150 403198 4 API calls 5149->5150 5151 404e56 5150->5151 5151->5132 5153 404e02 5152->5153 5159 404bfc 5153->5159 5155 404e30 5155->5147 5186 4039a4 5156->5186 5162 4059b0 5159->5162 5161 404c15 5161->5155 5163 4059be 5162->5163 5172 404cdc LoadStringA 5163->5172 5166 405194 33 API calls 5167 4059f6 5166->5167 5175 4031e8 5167->5175 5170 4031b8 4 API calls 5171 405a1b 5170->5171 5171->5161 5173 403278 18 API calls 5172->5173 5174 404d09 5173->5174 5174->5166 5176 4031ec 5175->5176 5179 4031fc 5175->5179 5176->5179 5181 403254 5176->5181 5177 403228 5177->5170 5179->5177 5180 4025ac 4 API calls 5179->5180 5180->5177 5182 403274 5181->5182 5183 403258 5181->5183 5182->5179 5184 402594 18 API calls 5183->5184 5185 403261 5184->5185 5185->5179 5187 4039ab 5186->5187 5192 4038b4 5187->5192 5189 4039cb 5190 403198 4 API calls 5189->5190 5191 4039d2 5190->5191 5191->5145 5193 4038d5 5192->5193 5194 4038c8 5192->5194 5196 403934 5193->5196 5197 4038db 5193->5197 5220 403780 5194->5220 5198 403993 5196->5198 5199 40393b 5196->5199 5200 4038e1 5197->5200 5201 4038ee 5197->5201 5202 4037f4 3 API calls 5198->5202 5203 403941 5199->5203 5204 40394b 5199->5204 5227 403894 5200->5227 5206 403894 6 API calls 5201->5206 5209 4038d0 5202->5209 5242 403864 5203->5242 5208 4037f4 3 API calls 5204->5208 5210 4038fc 5206->5210 5211 40395d 5208->5211 5209->5189 5232 4037f4 5210->5232 5214 403864 23 API calls 5211->5214 5213 403917 5238 40374c 5213->5238 5215 403976 5214->5215 5218 40374c VariantClear 5215->5218 5217 40392c 5217->5189 5219 40398b 5218->5219 5219->5189 5221 4037f0 5220->5221 5223 403744 5220->5223 5221->5209 5222 403793 VariantClear 5222->5223 5223->5220 5223->5222 5224 4037ab 5223->5224 5225 403198 4 API calls 5223->5225 5226 4037dc VariantCopyInd 5223->5226 5224->5209 5225->5223 5226->5221 5226->5223 5247 4036b8 5227->5247 5230 40374c VariantClear 5231 4038a9 5230->5231 5231->5209 5233 403845 VariantChangeTypeEx 5232->5233 5234 40380a VariantChangeTypeEx 5232->5234 5237 403832 5233->5237 5235 403826 5234->5235 5236 40374c VariantClear 5235->5236 5236->5237 5237->5213 5239 403759 5238->5239 5240 403766 5238->5240 5239->5240 5241 403779 VariantClear 5239->5241 5240->5217 5241->5217 5253 40369c SysStringLen 5242->5253 5245 40374c VariantClear 5246 403882 5245->5246 5246->5209 5248 4036cb 5247->5248 5249 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5248->5249 5250 4036db 5248->5250 5251 40372e 5249->5251 5252 4036ed MultiByteToWideChar SysAllocStringLen 5250->5252 5251->5230 5252->5251 5254 403610 21 API calls 5253->5254 5255 4036b3 5254->5255 5255->5245 5257 40594c 5256->5257 5258 404cdc 19 API calls 5257->5258 5259 405972 5258->5259 5260 4031e8 18 API calls 5259->5260 5261 40597d 5260->5261 5262 403198 4 API calls 5261->5262 5263 405992 5262->5263 5263->5141 5265 403198 4 API calls 5264->5265 5267 408cb1 5264->5267 5265->5267 5266 4031b8 4 API calls 5268 408d69 5266->5268 5269 408cc8 5267->5269 5270 403278 18 API calls 5267->5270 5272 408cdc 5267->5272 5273 4032fc 18 API calls 5267->5273 5268->5109 5271 4032fc 18 API calls 5269->5271 5270->5267 5271->5272 5272->5266 5273->5267 5275 4034fd 5274->5275 5282 40352d 5274->5282 5277 403526 5275->5277 5280 403509 5275->5280 5276 403198 4 API calls 5279 403517 5276->5279 5278 403254 18 API calls 5277->5278 5278->5282 5279->5040 5283 4025c4 5280->5283 5282->5276 5285 4025ca 5283->5285 5284 4025dc 5284->5279 5284->5284 5285->5284 5287 403154 5285->5287 5288 403164 5287->5288 5289 40318c TlsGetValue 5287->5289 5288->5284 5290 403196 5289->5290 5291 40316f 5289->5291 5290->5284 5295 40310c 5291->5295 5293 403174 TlsGetValue 5294 403184 5293->5294 5294->5284 5296 403120 LocalAlloc 5295->5296 5297 403116 5295->5297 5298 40313e TlsSetValue 5296->5298 5299 403132 5296->5299 5297->5296 5298->5299 5299->5293 5301 406b1c 5300->5301 5302 403278 18 API calls 5301->5302 5303 406b29 5302->5303 5310 403420 5303->5310 5305 406b31 5306 4031e8 18 API calls 5305->5306 5307 406b49 5306->5307 5308 403198 4 API calls 5307->5308 5309 406b6b 5308->5309 5309->5043 5311 403426 5310->5311 5313 403437 5310->5313 5312 403254 18 API calls 5311->5312 5311->5313 5312->5313 5313->5305 5315 4033bc 5314->5315 5316 403254 18 API calls 5315->5316 5317 4033cf 5316->5317 5318 4031e8 18 API calls 5317->5318 5319 4033f7 5318->5319 5321 402bd5 RaiseException 5320->5321 5322 402be6 5320->5322 5321->5322 5322->5066 5324 408e8e 5323->5324 5326 408ea6 5324->5326 5336 408e18 5324->5336 5327 408e18 18 API calls 5326->5327 5328 408eca 5326->5328 5327->5328 5339 407918 5328->5339 5330 408ee5 5331 408e18 18 API calls 5330->5331 5333 408ef8 5330->5333 5331->5333 5332 408e18 18 API calls 5332->5333 5333->5332 5334 403278 18 API calls 5333->5334 5335 408f27 5333->5335 5334->5333 5335->5068 5337 405890 18 API calls 5336->5337 5338 408e29 5337->5338 5338->5326 5342 4078c4 5339->5342 5343 4078d6 5342->5343 5344 4078e7 5342->5344 5345 4078db InterlockedExchange 5343->5345 5344->5330 5345->5344 5354 408f70 5346->5354 5348 408fd2 5349 408fd6 5348->5349 5350 408ff2 DeleteFileA GetLastError 5348->5350 5349->5078 5351 409010 5350->5351 5360 408fac 5351->5360 5355 408f7a 5354->5355 5356 408f7e 5354->5356 5355->5348 5357 408fa0 SetLastError 5356->5357 5358 408f87 Wow64DisableWow64FsRedirection 5356->5358 5359 408f9b 5357->5359 5358->5359 5359->5348 5361 408fb1 Wow64RevertWow64FsRedirection 5360->5361 5362 408fbb 5360->5362 5361->5362 5362->5078 5364 403566 5363->5364 5366 403578 5364->5366 5367 403604 5364->5367 5366->5091 5368 40357c 5367->5368 5373 40359b 5368->5373 5374 4035d0 5368->5374 5375 4035a0 5368->5375 5379 4035b6 5368->5379 5369 4035b1 5371 403198 4 API calls 5369->5371 5370 4035b8 5372 4031b8 4 API calls 5370->5372 5371->5379 5372->5379 5373->5375 5376 4035ec 5373->5376 5377 40357c 4 API calls 5374->5377 5374->5379 5375->5369 5375->5370 5378 403554 4 API calls 5376->5378 5376->5379 5377->5374 5378->5376 5379->5364 6670 401ab9 6671 401a96 6670->6671 6672 401aa9 RtlDeleteCriticalSection 6671->6672 6673 401a9f RtlLeaveCriticalSection 6671->6673 6673->6672

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 116 409b78-409b9c GetSystemInfo VirtualQuery 117 409ba2 116->117 118 409c2c-409c33 116->118 119 409c21-409c26 117->119 119->118 120 409ba4-409bab 119->120 121 409c0d-409c1f VirtualQuery 120->121 122 409bad-409bb1 120->122 121->118 121->119 122->121 123 409bb3-409bbb 122->123 124 409bcc-409bdd VirtualProtect 123->124 125 409bbd-409bc0 123->125 127 409be1-409be3 124->127 128 409bdf 124->128 125->124 126 409bc2-409bc5 125->126 126->124 129 409bc7-409bca 126->129 130 409bf2-409bf5 127->130 128->127 129->124 129->127 131 409be5-409bee call 409b70 130->131 132 409bf7-409bf9 130->132 131->130 132->121 134 409bfb-409c08 VirtualProtect 132->134 134->121
                                                                                          APIs
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                                                          • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                                                          • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                          • String ID:
                                                                                          • API String ID: 2441996862-0
                                                                                          • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                          • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                                                          • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                          • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                                                          APIs
                                                                                          • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID:
                                                                                          • API String ID: 2299586839-0
                                                                                          • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                          • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                                          • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                          • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                          • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                          • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                          • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModulePolicyProcess
                                                                                          • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                          • API String ID: 3256987805-3653653586
                                                                                          • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                          • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                          • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                          • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • SetLastError.KERNEL32 ref: 0040AAC1
                                                                                            • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,0207249C), ref: 0040966C
                                                                                          • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                          • SetWindowLongA.USER32(000203CE,000000FC,00409960), ref: 0040AB15
                                                                                          • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                          • DestroyWindow.USER32(000203CE,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                          • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                          • API String ID: 3757039580-3001827809
                                                                                          • Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                          • Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
                                                                                          • Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                          • Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                          • API String ID: 1646373207-2130885113
                                                                                          • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                          • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                                                          • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                          • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                          • SetWindowLongA.USER32(000203CE,000000FC,00409960), ref: 0040AB15
                                                                                            • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                                            • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,0207249C,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                            • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,0207249C,00409AD8,00000000), ref: 00409A70
                                                                                            • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                            • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                            • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,0207249C,00409AD8), ref: 00409AA4
                                                                                          • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                          • DestroyWindow.USER32(000203CE,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                          • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                          • API String ID: 3586484885-3001827809
                                                                                          • Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                          • Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
                                                                                          • Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                          • Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,0207249C,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                          • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,0207249C,00409AD8,00000000), ref: 00409A70
                                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                          • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                          • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,0207249C,00409AD8), ref: 00409AA4
                                                                                            • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,0207249C), ref: 0040966C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                          • String ID: D
                                                                                          • API String ID: 3356880605-2746444292
                                                                                          • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                          • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                                                          • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                          • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 149 4019c3-4019c8 RtlLeaveCriticalSection 145->149 150 4019cd 145->150 148 401983-401995 146->148 148->148 151 401997-4019a6 148->151 149->150 151->145
                                                                                          APIs
                                                                                          • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                          • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                          • String ID:
                                                                                          • API String ID: 730355536-0
                                                                                          • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                          • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                          • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                          • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message
                                                                                          • String ID: .tmp$y@
                                                                                          • API String ID: 2030045667-2396523267
                                                                                          • Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                          • Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
                                                                                          • Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                          • Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message
                                                                                          • String ID: .tmp$y@
                                                                                          • API String ID: 2030045667-2396523267
                                                                                          • Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                          • Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
                                                                                          • Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                          • Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                          • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                          • String ID: .tmp
                                                                                          • API String ID: 1375471231-2986845003
                                                                                          • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                          • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                                                          • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                          • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 342 407749-40774a 343 4076dc-4076e6 WriteFile 342->343 344 40774c-40776f 342->344 345 4076e8-4076ea call 40748c 343->345 346 4076ef-4076f2 343->346 347 407770-407785 344->347 345->346 351 407700-407704 346->351 352 4076f4-4076fb call 4073ec 346->352 348 407787 347->348 349 4077f9 347->349 353 40778a-40778f 348->353 354 4077fd-407802 348->354 355 40783b-40783d 349->355 356 4077fb 349->356 352->351 359 407803-407819 353->359 362 407791-407792 353->362 354->359 360 407841-407843 355->360 356->354 361 40785b-40785c 359->361 370 40781b 359->370 360->361 363 4078d6-4078eb call 407890 InterlockedExchange 361->363 364 40785e-40788c 361->364 365 407724-407741 362->365 366 407794-4077b4 362->366 387 407912-407917 363->387 388 4078ed-407910 363->388 380 407820-407823 364->380 381 407890-407893 364->381 369 4077b5 365->369 372 407743 365->372 366->369 374 4077b6-4077b7 369->374 375 4077f7-4077f8 369->375 376 40781e-40781f 370->376 378 407746-407747 372->378 379 4077b9 372->379 374->379 375->349 376->380 378->342 382 4077bb-4077cd 378->382 379->382 384 407824 380->384 385 407898 380->385 381->385 382->360 386 4077cf-4077d4 382->386 389 407825 384->389 390 40789a 384->390 385->390 386->355 394 4077d6-4077de 386->394 388->387 388->388 392 407896-407897 389->392 393 407826-40782d 389->393 395 40789f 390->395 392->385 396 4078a1 393->396 397 40782f 393->397 394->347 405 4077e0 394->405 395->396 402 4078a3 396->402 403 4078ac 396->403 399 407832-407833 397->399 400 4078a5-4078aa 397->400 399->355 399->376 404 4078ae-4078af 400->404 402->400 403->404 404->395 406 4078b1-4078bd 404->406 405->375 406->385 407 4078bf-4078c0 406->407
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3934441357-0
                                                                                          • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                          • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                                          • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                          • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 408 401fd4-401fe6 409 401fe8 call 401918 408->409 410 401ffb-402010 408->410 414 401fed-401fef 409->414 412 402012-402017 RtlEnterCriticalSection 410->412 413 40201c-402025 410->413 412->413 415 402027 413->415 416 40202c-402032 413->416 414->410 417 401ff1-401ff6 414->417 415->416 418 402038-40203c 416->418 419 4020cb-4020d1 416->419 420 40214f-402158 417->420 423 402041-402050 418->423 424 40203e 418->424 421 4020d3-4020e0 419->421 422 40211d-40211f call 401ee0 419->422 425 4020e2-4020ea 421->425 426 4020ef-40211b call 402f54 421->426 429 402124-40213b 422->429 423->419 427 402052-402060 423->427 424->423 425->426 426->420 431 402062-402066 427->431 432 40207c-402080 427->432 440 402147 429->440 441 40213d-402142 RtlLeaveCriticalSection 429->441 433 402068 431->433 434 40206b-40207a 431->434 436 402082 432->436 437 402085-4020a0 432->437 433->434 439 4020a2-4020c6 call 402f54 434->439 436->437 437->439 439->420 441->440
                                                                                          APIs
                                                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                            • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                            • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                            • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                            • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                          • String ID:
                                                                                          • API String ID: 296031713-0
                                                                                          • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                          • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                                          • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                          • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 444 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                          • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLibraryLoadMode
                                                                                          • String ID:
                                                                                          • API String ID: 2987862817-0
                                                                                          • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                          • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                          • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                          • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                          APIs
                                                                                          • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                          • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$FilePointer
                                                                                          • String ID:
                                                                                          • API String ID: 1156039329-0
                                                                                          • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                          • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                          • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                          • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 448 40762c-40764a ReadFile 449 407663-40766a 448->449 450 40764c-407650 448->450 451 407652-40765a GetLastError 450->451 452 40765c-40765e call 40748c 450->452 451->449 451->452 452->449
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                          • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastRead
                                                                                          • String ID:
                                                                                          • API String ID: 1948546556-0
                                                                                          • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                          • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                          • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                          • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                          APIs
                                                                                          • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                          • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$FilePointer
                                                                                          • String ID:
                                                                                          • API String ID: 1156039329-0
                                                                                          • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                          • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                          • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                          • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Virtual$AllocFree
                                                                                          • String ID:
                                                                                          • API String ID: 2087232378-0
                                                                                          • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                          • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                          • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                          • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                          APIs
                                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                            • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                            • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                          • String ID:
                                                                                          • API String ID: 1658689577-0
                                                                                          • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                          • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                                          • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                          • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                          • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                          • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                          • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                          • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                          • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                          • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                          APIs
                                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFile
                                                                                          • String ID:
                                                                                          • API String ID: 3188754299-0
                                                                                          • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                          • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                          • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                          • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastWrite
                                                                                          • String ID:
                                                                                          • API String ID: 442123175-0
                                                                                          • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                          • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                          • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                          • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                          APIs
                                                                                          • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FormatMessage
                                                                                          • String ID:
                                                                                          • API String ID: 1306739567-0
                                                                                          • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                          • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                          • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                          • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                          APIs
                                                                                          • SetEndOfFile.KERNEL32(?,02088000,0040AA59,00000000), ref: 004076B3
                                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLast
                                                                                          • String ID:
                                                                                          • API String ID: 734332943-0
                                                                                          • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                          • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                          • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                          • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode
                                                                                          • String ID:
                                                                                          • API String ID: 2340568224-0
                                                                                          • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                          • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                          • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                          • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode
                                                                                          • String ID:
                                                                                          • API String ID: 2340568224-0
                                                                                          • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                          • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                          • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                          • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                          APIs
                                                                                          • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CharPrev
                                                                                          • String ID:
                                                                                          • API String ID: 122130370-0
                                                                                          • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                          • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                          • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                          • Instruction Fuzzy Hash:
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                          • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                                          • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                          • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                                          APIs
                                                                                          • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 1263568516-0
                                                                                          • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                          • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                          • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                          • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                          • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                          • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                          • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                          APIs
                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 1263568516-0
                                                                                          • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                          • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                          • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                          • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                                                          • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                          • String ID: SeShutdownPrivilege
                                                                                          • API String ID: 107509674-3733053543
                                                                                          • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                          • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                          • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                          • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                          APIs
                                                                                          • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                                                          • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                                                          • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                                                          • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                          • String ID:
                                                                                          • API String ID: 3473537107-0
                                                                                          • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                          • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                                                          • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                          • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                                                          APIs
                                                                                          • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID:
                                                                                          • API String ID: 2299586839-0
                                                                                          • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                          • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                                          • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                          • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                                          APIs
                                                                                          • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: SystemTime
                                                                                          • String ID:
                                                                                          • API String ID: 2656138-0
                                                                                          • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                          • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                          • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                          • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Version
                                                                                          • String ID:
                                                                                          • API String ID: 1889659487-0
                                                                                          • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                          • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                                          • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                          • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                          • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                          • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                          • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressCloseHandleModuleProc
                                                                                          • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                          • API String ID: 4190037839-2401316094
                                                                                          • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                          • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                          • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                          • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                          • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                          • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                          • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                          • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                          • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                          • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                          • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                          • String ID:
                                                                                          • API String ID: 1694776339-0
                                                                                          • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                          • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                          • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                          • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                          APIs
                                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                            • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                            • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoLocale$DefaultSystem
                                                                                          • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                          • API String ID: 1044490935-665933166
                                                                                          • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                          • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                                          • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                          • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                                          APIs
                                                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                          • LocalFree.KERNEL32(006AA310,00000000,00401AB4), ref: 00401A1B
                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,006AA310,00000000,00401AB4), ref: 00401A3A
                                                                                          • LocalFree.KERNEL32(006AB310,?,00000000,00008000,006AA310,00000000,00401AB4), ref: 00401A79
                                                                                          • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                          • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 3782394904-0
                                                                                          • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                          • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                          • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                          • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                          APIs
                                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                          • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExitMessageProcess
                                                                                          • String ID: Error$Runtime error at 00000000$9@
                                                                                          • API String ID: 1220098344-1503883590
                                                                                          • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                          • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                          • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                          • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$AllocString
                                                                                          • String ID:
                                                                                          • API String ID: 262959230-0
                                                                                          • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                          • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                          • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                          • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                                                          • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CommandHandleLineModule
                                                                                          • String ID: P%i$U1hd.@
                                                                                          • API String ID: 2123368496-2689977985
                                                                                          • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                          • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                          • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                          • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                          APIs
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: QueryValue
                                                                                          • String ID: )q@
                                                                                          • API String ID: 3660427363-2284170586
                                                                                          • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                          • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                                          • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                          • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                                          APIs
                                                                                          • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                                                          Strings
                                                                                          • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                                                          • Setup, xrefs: 00409CAD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message
                                                                                          • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                          • API String ID: 2030045667-3271211647
                                                                                          • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                          • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                                                          • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                          • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                                                          • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                                                          • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                                                          • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2610125486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2610051387.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610208743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2610331838.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLastSleep
                                                                                          • String ID:
                                                                                          • API String ID: 1458359878-0
                                                                                          • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                          • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                          • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                          • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                          Execution Graph

                                                                                          Execution Coverage:16%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:4.7%
                                                                                          Total number of Nodes:2000
                                                                                          Total number of Limit Nodes:83
                                                                                          execution_graph 49970 40cd00 49971 40cd12 49970->49971 49972 40cd0d 49970->49972 49974 406f48 CloseHandle 49972->49974 49974->49971 49975 492848 49976 49287c 49975->49976 49977 49287e 49976->49977 49978 492892 49976->49978 50121 446f9c 32 API calls 49977->50121 49981 4928ce 49978->49981 49982 4928a1 49978->49982 49980 492887 Sleep 50041 4928c9 49980->50041 49987 49290a 49981->49987 49988 4928dd 49981->49988 50111 446ff8 49982->50111 49986 4928b0 49989 4928b8 FindWindowA 49986->49989 49993 492919 49987->49993 49994 492960 49987->49994 49990 446ff8 32 API calls 49988->49990 50115 447278 49989->50115 49992 4928ea 49990->49992 49996 4928f2 FindWindowA 49992->49996 50122 446f9c 32 API calls 49993->50122 50000 4929bc 49994->50000 50001 49296f 49994->50001 49998 447278 19 API calls 49996->49998 49997 492925 50123 446f9c 32 API calls 49997->50123 50054 492905 49998->50054 50008 492a18 50000->50008 50009 4929cb 50000->50009 50126 446f9c 32 API calls 50001->50126 50003 492932 50124 446f9c 32 API calls 50003->50124 50004 49297b 50127 446f9c 32 API calls 50004->50127 50007 49293f 50125 446f9c 32 API calls 50007->50125 50019 492a52 50008->50019 50020 492a27 50008->50020 50131 446f9c 32 API calls 50009->50131 50010 492988 50128 446f9c 32 API calls 50010->50128 50014 49294a SendMessageA 50018 447278 19 API calls 50014->50018 50015 4929d7 50132 446f9c 32 API calls 50015->50132 50017 492995 50129 446f9c 32 API calls 50017->50129 50018->50054 50028 492a61 50019->50028 50029 492aa0 50019->50029 50023 446ff8 32 API calls 50020->50023 50021 4929e4 50133 446f9c 32 API calls 50021->50133 50026 492a34 50023->50026 50025 4929a0 PostMessageA 50130 4470d0 19 API calls 50025->50130 50033 492a3c RegisterClipboardFormatA 50026->50033 50027 4929f1 50134 446f9c 32 API calls 50027->50134 50136 446f9c 32 API calls 50028->50136 50037 492aaf 50029->50037 50043 492af4 50029->50043 50034 447278 19 API calls 50033->50034 50034->50041 50035 4929fc SendNotifyMessageA 50135 4470d0 19 API calls 50035->50135 50036 492a6d 50137 446f9c 32 API calls 50036->50137 50139 446f9c 32 API calls 50037->50139 50161 403420 50041->50161 50042 492a7a 50138 446f9c 32 API calls 50042->50138 50048 492b48 50043->50048 50049 492b03 50043->50049 50044 492abb 50140 446f9c 32 API calls 50044->50140 50047 492a85 SendMessageA 50051 447278 19 API calls 50047->50051 50058 492baa 50048->50058 50059 492b57 50048->50059 50143 446f9c 32 API calls 50049->50143 50050 492ac8 50141 446f9c 32 API calls 50050->50141 50051->50054 50054->50041 50055 492b0f 50144 446f9c 32 API calls 50055->50144 50057 492ad3 PostMessageA 50142 4470d0 19 API calls 50057->50142 50066 492bb9 50058->50066 50067 492c31 50058->50067 50062 446ff8 32 API calls 50059->50062 50060 492b1c 50145 446f9c 32 API calls 50060->50145 50064 492b64 50062->50064 50147 42e394 SetErrorMode 50064->50147 50065 492b27 SendNotifyMessageA 50146 4470d0 19 API calls 50065->50146 50070 446ff8 32 API calls 50066->50070 50075 492c40 50067->50075 50076 492c66 50067->50076 50072 492bc8 50070->50072 50071 492b71 50073 492b87 GetLastError 50071->50073 50074 492b77 50071->50074 50150 446f9c 32 API calls 50072->50150 50077 447278 19 API calls 50073->50077 50078 447278 19 API calls 50074->50078 50155 446f9c 32 API calls 50075->50155 50085 492c98 50076->50085 50086 492c75 50076->50086 50079 492b85 50077->50079 50078->50079 50082 447278 19 API calls 50079->50082 50081 492c4a FreeLibrary 50156 4470d0 19 API calls 50081->50156 50082->50041 50094 492ca7 50085->50094 50100 492cdb 50085->50100 50090 446ff8 32 API calls 50086->50090 50087 492bdb GetProcAddress 50088 492c21 50087->50088 50089 492be7 50087->50089 50154 4470d0 19 API calls 50088->50154 50151 446f9c 32 API calls 50089->50151 50092 492c81 50090->50092 50098 492c89 CreateMutexA 50092->50098 50157 48ccc8 32 API calls 50094->50157 50095 492bf3 50152 446f9c 32 API calls 50095->50152 50098->50041 50099 492c00 50103 447278 19 API calls 50099->50103 50100->50041 50159 48ccc8 32 API calls 50100->50159 50102 492cb3 50104 492cc4 OemToCharBuffA 50102->50104 50105 492c11 50103->50105 50158 48cce0 19 API calls 50104->50158 50153 4470d0 19 API calls 50105->50153 50108 492cf6 50109 492d07 CharToOemBuffA 50108->50109 50160 48cce0 19 API calls 50109->50160 50112 447000 50111->50112 50165 436078 50112->50165 50114 44701f 50114->49986 50116 447280 50115->50116 50278 4363e0 VariantClear 50116->50278 50118 4472a3 50119 4472ba 50118->50119 50279 408c0c 18 API calls 50118->50279 50119->50041 50121->49980 50122->49997 50123->50003 50124->50007 50125->50014 50126->50004 50127->50010 50128->50017 50129->50025 50130->50054 50131->50015 50132->50021 50133->50027 50134->50035 50135->50041 50136->50036 50137->50042 50138->50047 50139->50044 50140->50050 50141->50057 50142->50054 50143->50055 50144->50060 50145->50065 50146->50041 50280 403738 50147->50280 50150->50087 50151->50095 50152->50099 50153->50054 50154->50054 50155->50081 50156->50041 50157->50102 50158->50041 50159->50108 50160->50041 50163 403426 50161->50163 50162 40344b 50163->50162 50164 402660 4 API calls 50163->50164 50164->50163 50166 436084 50165->50166 50176 4360a6 50165->50176 50166->50176 50185 408c0c 18 API calls 50166->50185 50167 436129 50194 408c0c 18 API calls 50167->50194 50169 436111 50189 403494 50169->50189 50170 436105 50170->50114 50171 4360f9 50180 403510 18 API calls 50171->50180 50172 4360ed 50186 403510 50172->50186 50173 43611d 50193 4040e8 32 API calls 50173->50193 50176->50167 50176->50169 50176->50170 50176->50171 50176->50172 50176->50173 50179 43613a 50179->50114 50184 436102 50180->50184 50182 436126 50182->50114 50184->50114 50185->50176 50195 4034e0 50186->50195 50190 403498 50189->50190 50191 4034ba 50190->50191 50192 402660 4 API calls 50190->50192 50191->50114 50192->50191 50193->50182 50194->50179 50200 4034bc 50195->50200 50197 4034f0 50205 403400 50197->50205 50201 4034c0 50200->50201 50202 4034dc 50200->50202 50209 402648 50201->50209 50202->50197 50204 4034c9 50204->50197 50206 403406 50205->50206 50207 40341f 50205->50207 50206->50207 50273 402660 50206->50273 50207->50114 50210 40264c 50209->50210 50212 402656 50209->50212 50215 402088 50210->50215 50211 402652 50211->50212 50226 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50211->50226 50212->50204 50212->50212 50216 40209c 50215->50216 50217 4020a1 50215->50217 50227 4019cc RtlInitializeCriticalSection 50216->50227 50219 4020c6 RtlEnterCriticalSection 50217->50219 50220 4020d0 50217->50220 50221 4020a5 50217->50221 50219->50220 50220->50221 50234 401f94 50220->50234 50221->50211 50224 4021f1 RtlLeaveCriticalSection 50225 4021fb 50224->50225 50225->50211 50226->50212 50228 4019f0 RtlEnterCriticalSection 50227->50228 50229 4019fa 50227->50229 50228->50229 50230 401a18 LocalAlloc 50229->50230 50231 401a32 50230->50231 50232 401a81 50231->50232 50233 401a77 RtlLeaveCriticalSection 50231->50233 50232->50217 50233->50232 50237 401fa4 50234->50237 50235 401fd0 50239 401ff4 50235->50239 50245 401db4 50235->50245 50237->50235 50237->50239 50240 401f0c 50237->50240 50239->50224 50239->50225 50249 40178c 50240->50249 50244 401f29 50244->50237 50246 401e02 50245->50246 50247 401dd2 50245->50247 50246->50247 50260 401d1c 50246->50260 50247->50239 50255 4017a8 50249->50255 50250 4014e4 LocalAlloc VirtualAlloc VirtualFree 50250->50255 50251 4017b2 50252 401678 VirtualAlloc 50251->50252 50256 4017be 50252->50256 50253 40180f 50253->50244 50259 401e80 9 API calls 50253->50259 50254 4013e0 LocalAlloc 50254->50255 50255->50250 50255->50251 50255->50253 50255->50254 50257 401803 50255->50257 50256->50253 50258 4015c0 VirtualFree 50257->50258 50258->50253 50259->50244 50261 401d2e 50260->50261 50262 401d51 50261->50262 50263 401d63 50261->50263 50264 401940 LocalAlloc VirtualFree VirtualFree 50262->50264 50265 401940 LocalAlloc VirtualFree VirtualFree 50263->50265 50266 401d61 50264->50266 50265->50266 50267 401d79 50266->50267 50268 401bf8 9 API calls 50266->50268 50267->50247 50269 401d88 50268->50269 50270 401da2 50269->50270 50271 401c4c 9 API calls 50269->50271 50272 401454 LocalAlloc 50270->50272 50271->50270 50272->50267 50274 402664 50273->50274 50275 40266e 50273->50275 50274->50275 50277 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50274->50277 50275->50207 50277->50275 50278->50118 50279->50119 50281 40373c LoadLibraryA 50280->50281 50281->50071 54064 498ba8 54122 403344 54064->54122 54066 498bb6 54125 4056a0 54066->54125 54068 498bbb 54128 40631c GetModuleHandleA GetProcAddress 54068->54128 54072 498bc5 54136 40994c 54072->54136 54404 4032fc 54122->54404 54124 403349 GetModuleHandleA GetCommandLineA 54124->54066 54127 4056db 54125->54127 54405 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54125->54405 54127->54068 54129 406338 54128->54129 54130 40633f GetProcAddress 54128->54130 54129->54130 54131 406355 GetProcAddress 54130->54131 54132 40634e 54130->54132 54133 406364 SetProcessDEPPolicy 54131->54133 54134 406368 54131->54134 54132->54131 54133->54134 54135 4063c4 6FB81CD0 54134->54135 54135->54072 54406 409024 54136->54406 54404->54124 54405->54127 54407 408cbc 19 API calls 54406->54407 54408 409035 54407->54408 54409 4085dc GetSystemDefaultLCID 54408->54409 54412 408612 54409->54412 54410 406dec 19 API calls 54410->54412 54411 408568 19 API calls 54411->54412 54412->54410 54412->54411 54413 403450 18 API calls 54412->54413 54417 408674 54412->54417 54413->54412 54414 406dec 19 API calls 54414->54417 54415 408568 19 API calls 54415->54417 54416 403450 18 API calls 54416->54417 54417->54414 54417->54415 54417->54416 54418 4086f7 54417->54418 54419 403420 4 API calls 54418->54419 54420 408711 54419->54420 54421 408720 GetSystemDefaultLCID 54420->54421 54478 408568 GetLocaleInfoA 54421->54478 54424 403450 18 API calls 54425 408760 54424->54425 54426 408568 19 API calls 54425->54426 54427 408775 54426->54427 54428 408568 19 API calls 54427->54428 54429 408799 54428->54429 54484 4085b4 GetLocaleInfoA 54429->54484 54432 4085b4 GetLocaleInfoA 54433 4087c9 54432->54433 54434 408568 19 API calls 54433->54434 54435 4087e3 54434->54435 54436 4085b4 GetLocaleInfoA 54435->54436 54437 408800 54436->54437 54479 4085a1 54478->54479 54480 40858f 54478->54480 54482 403494 4 API calls 54479->54482 54481 4034e0 18 API calls 54480->54481 54483 40859f 54481->54483 54482->54483 54483->54424 54485 4085d0 54484->54485 54485->54432 55839 42f520 55840 42f52b 55839->55840 55841 42f52f NtdllDefWindowProc_A 55839->55841 55841->55840 50282 416b42 50283 416bea 50282->50283 50284 416b5a 50282->50284 50301 41531c 18 API calls 50283->50301 50286 416b74 SendMessageA 50284->50286 50287 416b68 50284->50287 50297 416bc8 50286->50297 50288 416b72 CallWindowProcA 50287->50288 50289 416b8e 50287->50289 50288->50297 50298 41a058 GetSysColor 50289->50298 50292 416b99 SetTextColor 50293 416bae 50292->50293 50299 41a058 GetSysColor 50293->50299 50295 416bb3 SetBkColor 50300 41a6e0 GetSysColor CreateBrushIndirect 50295->50300 50298->50292 50299->50295 50300->50297 50301->50297 55842 4358e0 55843 4358f5 55842->55843 55846 43590f 55843->55846 55848 4352c8 55843->55848 55855 435312 55848->55855 55858 4352f8 55848->55858 55849 403400 4 API calls 55850 435717 55849->55850 55850->55846 55861 435728 18 API calls 55850->55861 55851 446da4 18 API calls 55851->55858 55852 403744 18 API calls 55852->55858 55853 403450 18 API calls 55853->55858 55854 402648 18 API calls 55854->55858 55855->55849 55857 431ca0 18 API calls 55857->55858 55858->55851 55858->55852 55858->55853 55858->55854 55858->55855 55858->55857 55859 4038a4 18 API calls 55858->55859 55862 4343b0 55858->55862 55874 434b74 18 API calls 55858->55874 55859->55858 55861->55846 55863 43446d 55862->55863 55864 4343dd 55862->55864 55893 434310 18 API calls 55863->55893 55865 403494 4 API calls 55864->55865 55867 4343eb 55865->55867 55869 403778 18 API calls 55867->55869 55868 43445f 55870 403400 4 API calls 55868->55870 55872 43440c 55869->55872 55871 4344bd 55870->55871 55871->55858 55872->55868 55875 494944 55872->55875 55874->55858 55876 49497c 55875->55876 55877 494a14 55875->55877 55879 403494 4 API calls 55876->55879 55894 448930 55877->55894 55882 494987 55879->55882 55880 494997 55881 403400 4 API calls 55880->55881 55883 494a38 55881->55883 55882->55880 55884 4037b8 18 API calls 55882->55884 55885 403400 4 API calls 55883->55885 55887 4949b0 55884->55887 55886 494a40 55885->55886 55886->55872 55887->55880 55888 4037b8 18 API calls 55887->55888 55889 4949d3 55888->55889 55890 403778 18 API calls 55889->55890 55891 494a04 55890->55891 55892 403634 18 API calls 55891->55892 55892->55877 55893->55868 55895 448955 55894->55895 55896 448998 55894->55896 55897 403494 4 API calls 55895->55897 55899 4489ac 55896->55899 55906 44852c 55896->55906 55898 448960 55897->55898 55903 4037b8 18 API calls 55898->55903 55901 403400 4 API calls 55899->55901 55902 4489df 55901->55902 55902->55880 55904 44897c 55903->55904 55905 4037b8 18 API calls 55904->55905 55905->55896 55907 403494 4 API calls 55906->55907 55908 448562 55907->55908 55909 4037b8 18 API calls 55908->55909 55910 448574 55909->55910 55911 403778 18 API calls 55910->55911 55912 448595 55911->55912 55913 4037b8 18 API calls 55912->55913 55914 4485ad 55913->55914 55915 403778 18 API calls 55914->55915 55916 4485d8 55915->55916 55917 4037b8 18 API calls 55916->55917 55927 4485f0 55917->55927 55918 448628 55920 403420 4 API calls 55918->55920 55919 4486c3 55923 4486cb GetProcAddress 55919->55923 55924 448708 55920->55924 55921 44864b LoadLibraryExA 55921->55927 55922 44865d LoadLibraryA 55922->55927 55925 4486de 55923->55925 55924->55899 55925->55918 55926 403b80 18 API calls 55926->55927 55927->55918 55927->55919 55927->55921 55927->55922 55927->55926 55928 403450 18 API calls 55927->55928 55930 43da88 18 API calls 55927->55930 55928->55927 55930->55927 50302 416644 50303 416651 50302->50303 50304 4166ab 50302->50304 50309 416550 CreateWindowExA 50303->50309 50305 416658 SetPropA SetPropA 50305->50304 50306 41668b 50305->50306 50307 41669e SetWindowPos 50306->50307 50307->50304 50309->50305 55931 4222e4 55932 4222f3 55931->55932 55937 421274 55932->55937 55935 422313 55938 4212e3 55937->55938 55940 421283 55937->55940 55943 4212f4 55938->55943 55962 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55938->55962 55940->55938 55961 408d2c 33 API calls 55940->55961 55941 4213ba 55945 4213ce SetMenu 55941->55945 55958 421393 55941->55958 55942 421322 55948 421395 55942->55948 55952 42133d 55942->55952 55943->55941 55943->55942 55944 4213e6 55965 4211bc 24 API calls 55944->55965 55945->55958 55950 4213a9 55948->55950 55948->55958 55949 4213ed 55949->55935 55960 4221e8 10 API calls 55949->55960 55953 4213b2 SetMenu 55950->55953 55954 421360 GetMenu 55952->55954 55952->55958 55953->55958 55955 421383 55954->55955 55956 42136a 55954->55956 55963 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55955->55963 55959 42137d SetMenu 55956->55959 55958->55944 55964 421e2c 25 API calls 55958->55964 55959->55955 55960->55935 55961->55940 55962->55943 55963->55958 55964->55944 55965->55949 55966 44b4a8 55967 44b4b6 55966->55967 55969 44b4d5 55966->55969 55968 44b38c 25 API calls 55967->55968 55967->55969 55968->55969 55970 448728 55971 448756 55970->55971 55972 44875d 55970->55972 55975 403400 4 API calls 55971->55975 55973 448771 55972->55973 55976 44852c 21 API calls 55972->55976 55973->55971 55974 403494 4 API calls 55973->55974 55977 44878a 55974->55977 55978 448907 55975->55978 55976->55973 55979 4037b8 18 API calls 55977->55979 55980 4487a6 55979->55980 55981 4037b8 18 API calls 55980->55981 55982 4487c2 55981->55982 55982->55971 55983 4487d6 55982->55983 55984 4037b8 18 API calls 55983->55984 55985 4487f0 55984->55985 55986 431bd0 18 API calls 55985->55986 55987 448812 55986->55987 55988 448832 55987->55988 55989 431ca0 18 API calls 55987->55989 55990 448870 55988->55990 56013 4435d0 18 API calls 55988->56013 55989->55987 55991 448888 55990->55991 56014 4435d0 18 API calls 55990->56014 56002 442334 55991->56002 55994 4488bc GetLastError 56015 4484c0 18 API calls 55994->56015 55997 4488cb 56016 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55997->56016 55999 4488e0 56017 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55999->56017 56001 4488e8 56003 443312 56002->56003 56004 44236d 56002->56004 56006 403400 4 API calls 56003->56006 56005 403400 4 API calls 56004->56005 56007 442375 56005->56007 56008 443327 56006->56008 56009 431bd0 18 API calls 56007->56009 56008->55994 56010 442381 56009->56010 56011 443302 56010->56011 56018 441a0c 18 API calls 56010->56018 56011->55994 56013->55988 56014->55991 56015->55997 56016->55999 56017->56001 56018->56010 56019 4165ec DestroyWindow 56020 42e3ef SetErrorMode 50310 441394 50311 44139d 50310->50311 50312 4413ab WriteFile 50310->50312 50311->50312 50313 4413b6 50312->50313 50314 416410 50315 416422 50314->50315 50316 416462 GetClassInfoA 50315->50316 50334 408d2c 33 API calls 50315->50334 50317 41648e 50316->50317 50319 4164e9 50317->50319 50320 4164b0 RegisterClassA 50317->50320 50321 4164a0 UnregisterClassA 50317->50321 50325 416506 50319->50325 50328 416517 50319->50328 50320->50319 50323 4164d8 50320->50323 50321->50320 50322 41645d 50322->50316 50335 408cbc 50323->50335 50325->50319 50326 408cbc 19 API calls 50325->50326 50326->50328 50343 407544 50328->50343 50331 416530 50348 41a1e8 50331->50348 50333 41653a 50334->50322 50336 408cc8 50335->50336 50356 406dec LoadStringA 50336->50356 50341 403400 4 API calls 50342 408d0e 50341->50342 50342->50319 50344 407552 50343->50344 50345 407548 50343->50345 50347 418384 7 API calls 50344->50347 50346 402660 4 API calls 50345->50346 50346->50344 50347->50331 50349 41a213 50348->50349 50350 41a2af 50348->50350 50365 403520 50349->50365 50351 403400 4 API calls 50350->50351 50352 41a2c7 50351->50352 50352->50333 50354 41a26b 50355 41a2a3 CreateFontIndirectA 50354->50355 50355->50350 50357 4034e0 18 API calls 50356->50357 50358 406e19 50357->50358 50359 403450 50358->50359 50360 403454 50359->50360 50361 403464 50359->50361 50360->50361 50363 4034bc 18 API calls 50360->50363 50362 403490 50361->50362 50364 402660 4 API calls 50361->50364 50362->50341 50363->50361 50364->50362 50366 4034e0 18 API calls 50365->50366 50367 40352a 50366->50367 50367->50354 56021 491bf8 56022 491c32 56021->56022 56023 491c3e 56022->56023 56024 491c34 56022->56024 56026 491c4d 56023->56026 56027 491c76 56023->56027 56217 409098 MessageBeep 56024->56217 56029 446ff8 32 API calls 56026->56029 56034 491cae 56027->56034 56035 491c85 56027->56035 56028 403420 4 API calls 56030 49228a 56028->56030 56031 491c5a 56029->56031 56032 403400 4 API calls 56030->56032 56218 406bb0 56031->56218 56036 492292 56032->56036 56041 491cbd 56034->56041 56042 491ce6 56034->56042 56038 446ff8 32 API calls 56035->56038 56040 491c92 56038->56040 56226 406c00 18 API calls 56040->56226 56044 446ff8 32 API calls 56041->56044 56049 491d0e 56042->56049 56050 491cf5 56042->56050 56047 491cca 56044->56047 56045 491c9d 56227 44734c 19 API calls 56045->56227 56228 406c34 18 API calls 56047->56228 56056 491d1d 56049->56056 56057 491d42 56049->56057 56230 407280 19 API calls 56050->56230 56052 491cd5 56229 44734c 19 API calls 56052->56229 56053 491cfd 56231 44734c 19 API calls 56053->56231 56058 446ff8 32 API calls 56056->56058 56060 491d7a 56057->56060 56061 491d51 56057->56061 56059 491d2a 56058->56059 56062 4072a8 SetCurrentDirectoryA 56059->56062 56068 491d89 56060->56068 56069 491db2 56060->56069 56063 446ff8 32 API calls 56061->56063 56064 491d32 56062->56064 56065 491d5e 56063->56065 56232 4470d0 19 API calls 56064->56232 56067 42c804 19 API calls 56065->56067 56070 491d69 56067->56070 56071 446ff8 32 API calls 56068->56071 56074 491dfe 56069->56074 56075 491dc1 56069->56075 56233 44734c 19 API calls 56070->56233 56073 491d96 56071->56073 56234 4071f8 22 API calls 56073->56234 56081 491e0d 56074->56081 56082 491e36 56074->56082 56077 446ff8 32 API calls 56075->56077 56080 491dd0 56077->56080 56078 491da1 56235 44734c 19 API calls 56078->56235 56083 446ff8 32 API calls 56080->56083 56084 446ff8 32 API calls 56081->56084 56089 491e6e 56082->56089 56090 491e45 56082->56090 56085 491de1 56083->56085 56086 491e1a 56084->56086 56236 4918fc 22 API calls 56085->56236 56088 42c8a4 19 API calls 56086->56088 56092 491e25 56088->56092 56097 491e7d 56089->56097 56098 491ea6 56089->56098 56093 446ff8 32 API calls 56090->56093 56091 491ded 56237 44734c 19 API calls 56091->56237 56238 44734c 19 API calls 56092->56238 56096 491e52 56093->56096 56099 42c8cc 19 API calls 56096->56099 56100 446ff8 32 API calls 56097->56100 56105 491ede 56098->56105 56106 491eb5 56098->56106 56101 491e5d 56099->56101 56103 491e8a 56100->56103 56239 44734c 19 API calls 56101->56239 56240 42c8fc 19 API calls 56103->56240 56112 491eed 56105->56112 56113 491f16 56105->56113 56107 446ff8 32 API calls 56106->56107 56109 491ec2 56107->56109 56108 491e95 56241 44734c 19 API calls 56108->56241 56111 42c92c 19 API calls 56109->56111 56114 491ecd 56111->56114 56115 446ff8 32 API calls 56112->56115 56118 491f62 56113->56118 56119 491f25 56113->56119 56242 44734c 19 API calls 56114->56242 56117 491efa 56115->56117 56120 42c954 19 API calls 56117->56120 56126 491f71 56118->56126 56127 491fb4 56118->56127 56121 446ff8 32 API calls 56119->56121 56122 491f05 56120->56122 56123 491f34 56121->56123 56243 44734c 19 API calls 56122->56243 56125 446ff8 32 API calls 56123->56125 56129 491f45 56125->56129 56128 446ff8 32 API calls 56126->56128 56134 491fc3 56127->56134 56135 492027 56127->56135 56130 491f84 56128->56130 56244 42c4f8 19 API calls 56129->56244 56132 446ff8 32 API calls 56130->56132 56136 491f95 56132->56136 56133 491f51 56245 44734c 19 API calls 56133->56245 56138 446ff8 32 API calls 56134->56138 56142 492066 56135->56142 56143 492036 56135->56143 56246 491af4 26 API calls 56136->56246 56140 491fd0 56138->56140 56209 42c608 21 API calls 56140->56209 56141 491fa3 56247 44734c 19 API calls 56141->56247 56153 4920a5 56142->56153 56154 492075 56142->56154 56146 446ff8 32 API calls 56143->56146 56150 492043 56146->56150 56147 491fde 56148 491fe2 56147->56148 56149 492017 56147->56149 56152 446ff8 32 API calls 56148->56152 56249 4470d0 19 API calls 56149->56249 56250 452908 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 56150->56250 56157 491ff1 56152->56157 56162 4920e4 56153->56162 56163 4920b4 56153->56163 56158 446ff8 32 API calls 56154->56158 56156 492050 56251 4470d0 19 API calls 56156->56251 56210 452c80 56157->56210 56161 492082 56158->56161 56166 452770 5 API calls 56161->56166 56173 49212c 56162->56173 56174 4920f3 56162->56174 56167 446ff8 32 API calls 56163->56167 56164 492061 56191 491c39 56164->56191 56165 492001 56248 4470d0 19 API calls 56165->56248 56169 49208f 56166->56169 56170 4920c1 56167->56170 56252 4470d0 19 API calls 56169->56252 56253 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 56170->56253 56179 49213b 56173->56179 56180 492174 56173->56180 56176 446ff8 32 API calls 56174->56176 56175 4920ce 56254 4470d0 19 API calls 56175->56254 56178 492102 56176->56178 56181 446ff8 32 API calls 56178->56181 56182 446ff8 32 API calls 56179->56182 56185 492187 56180->56185 56189 49223d 56180->56189 56183 492113 56181->56183 56184 49214a 56182->56184 56187 447278 19 API calls 56183->56187 56186 446ff8 32 API calls 56184->56186 56188 446ff8 32 API calls 56185->56188 56190 49215b 56186->56190 56187->56191 56192 4921b4 56188->56192 56189->56191 56258 446f9c 32 API calls 56189->56258 56196 447278 19 API calls 56190->56196 56191->56028 56193 446ff8 32 API calls 56192->56193 56194 4921cb 56193->56194 56255 407ddc 21 API calls 56194->56255 56196->56191 56197 492256 56198 42e8c8 19 API calls 56197->56198 56199 49225e 56198->56199 56259 44734c 19 API calls 56199->56259 56202 4921ed 56203 446ff8 32 API calls 56202->56203 56204 492201 56203->56204 56256 408508 18 API calls 56204->56256 56206 49220c 56257 44734c 19 API calls 56206->56257 56208 492218 56209->56147 56211 452724 2 API calls 56210->56211 56213 452c99 56211->56213 56212 452c9d 56212->56165 56213->56212 56214 452cc1 MoveFileA GetLastError 56213->56214 56215 452760 Wow64RevertWow64FsRedirection 56214->56215 56216 452ce7 56215->56216 56216->56165 56217->56191 56219 406bbf 56218->56219 56220 406bd8 56219->56220 56222 406be1 56219->56222 56221 403400 4 API calls 56220->56221 56223 406bdf 56221->56223 56224 403778 18 API calls 56222->56224 56225 44734c 19 API calls 56223->56225 56224->56223 56225->56191 56226->56045 56227->56191 56228->56052 56229->56191 56230->56053 56231->56191 56232->56191 56233->56191 56234->56078 56235->56191 56236->56091 56237->56191 56238->56191 56239->56191 56240->56108 56241->56191 56242->56191 56243->56191 56244->56133 56245->56191 56246->56141 56247->56191 56248->56191 56249->56191 56250->56156 56251->56164 56252->56191 56253->56175 56254->56191 56255->56202 56256->56206 56257->56208 56258->56197 56259->56191 56260 40cc34 56263 406f10 WriteFile 56260->56263 56264 406f2d 56263->56264 50368 48095d 50373 451004 50368->50373 50370 480971 50383 47fa0c 50370->50383 50372 480995 50374 451011 50373->50374 50376 451065 50374->50376 50392 408c0c 18 API calls 50374->50392 50389 450e88 50376->50389 50380 45108d 50381 4510d0 50380->50381 50394 408c0c 18 API calls 50380->50394 50381->50370 50399 40b3c8 50383->50399 50385 47fa79 50385->50372 50388 47fa2e 50388->50385 50403 4069dc 50388->50403 50406 476994 50388->50406 50395 450e34 50389->50395 50392->50376 50393 408c0c 18 API calls 50393->50380 50394->50381 50396 450e46 50395->50396 50397 450e57 50395->50397 50398 450e4b InterlockedExchange 50396->50398 50397->50380 50397->50393 50398->50397 50400 40b3d3 50399->50400 50401 40b3f3 50400->50401 50422 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50400->50422 50401->50388 50404 402648 18 API calls 50403->50404 50405 4069e7 50404->50405 50405->50388 50416 476a0e 50406->50416 50418 4769c5 50406->50418 50407 476a59 50423 451294 50407->50423 50409 476a70 50411 403420 4 API calls 50409->50411 50413 476a8a 50411->50413 50412 4038a4 18 API calls 50412->50416 50413->50388 50415 403450 18 API calls 50415->50418 50416->50407 50416->50412 50417 403450 18 API calls 50416->50417 50419 403744 18 API calls 50416->50419 50421 451294 35 API calls 50416->50421 50417->50416 50418->50415 50418->50416 50420 451294 35 API calls 50418->50420 50429 4038a4 50418->50429 50438 403744 50418->50438 50419->50416 50420->50418 50421->50416 50422->50401 50424 4512af 50423->50424 50428 4512a4 50423->50428 50442 451238 35 API calls 50424->50442 50426 4512ba 50426->50428 50443 408c0c 18 API calls 50426->50443 50428->50409 50430 4038b1 50429->50430 50437 4038e1 50429->50437 50432 4038da 50430->50432 50434 4038bd 50430->50434 50431 403400 4 API calls 50433 4038cb 50431->50433 50435 4034bc 18 API calls 50432->50435 50433->50418 50444 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50434->50444 50435->50437 50437->50431 50439 40374a 50438->50439 50441 40375b 50438->50441 50440 4034bc 18 API calls 50439->50440 50439->50441 50440->50441 50441->50418 50442->50426 50443->50428 50444->50433 50445 41ee54 50446 41ee63 IsWindowVisible 50445->50446 50447 41ee99 50445->50447 50446->50447 50448 41ee6d IsWindowEnabled 50446->50448 50448->50447 50449 41ee77 50448->50449 50450 402648 18 API calls 50449->50450 50451 41ee81 EnableWindow 50450->50451 50451->50447 50452 46bb10 50453 46bb44 50452->50453 50483 46bfad 50452->50483 50457 46bbdc 50453->50457 50458 46bbba 50453->50458 50459 46bbcb 50453->50459 50460 46bb98 50453->50460 50461 46bba9 50453->50461 50470 46bb80 50453->50470 50454 403400 4 API calls 50456 46bfec 50454->50456 50465 403400 4 API calls 50456->50465 50775 46baa0 59 API calls 50457->50775 50508 46b6d0 50458->50508 50774 46b890 81 API calls 50459->50774 50772 46b420 61 API calls 50460->50772 50773 46b588 56 API calls 50461->50773 50469 46bff4 50465->50469 50468 46bb9e 50468->50470 50468->50483 50470->50483 50543 468c74 50470->50543 50471 46bc18 50471->50483 50486 46bc5b 50471->50486 50776 494da0 50471->50776 50474 46bd7e 50795 48358c 137 API calls 50474->50795 50475 414ae8 18 API calls 50475->50486 50478 46bd99 50478->50483 50479 42cbc0 20 API calls 50479->50486 50480 46af68 37 API calls 50480->50486 50483->50454 50484 46bdd7 50561 469f1c 50484->50561 50485 46af68 37 API calls 50485->50483 50486->50474 50486->50475 50486->50479 50486->50480 50486->50483 50486->50484 50487 403450 18 API calls 50486->50487 50504 46be9f 50486->50504 50546 468bb0 50486->50546 50554 46acd4 50486->50554 50699 483084 50486->50699 50812 46b1dc 33 API calls 50486->50812 50487->50486 50489 46be3d 50490 403450 18 API calls 50489->50490 50491 46be4d 50490->50491 50492 46bea9 50491->50492 50493 46be59 50491->50493 50498 46bf6b 50492->50498 50622 46af68 50492->50622 50796 457f1c 50493->50796 50497 457f1c 38 API calls 50497->50504 50504->50485 50813 46c424 50508->50813 50511 46b852 50513 403420 4 API calls 50511->50513 50515 46b86c 50513->50515 50514 46b71e 50516 46b83e 50514->50516 50820 455f84 27 API calls 50514->50820 50517 403400 4 API calls 50515->50517 50516->50511 50519 403450 18 API calls 50516->50519 50520 46b874 50517->50520 50519->50511 50521 403400 4 API calls 50520->50521 50522 46b87c 50521->50522 50522->50470 50523 46b801 50523->50511 50523->50516 50528 42cd48 21 API calls 50523->50528 50525 46b7a1 50525->50511 50525->50523 50830 42cd48 50525->50830 50527 46b73c 50527->50525 50821 466600 50527->50821 50530 46b817 50528->50530 50530->50516 50535 451458 18 API calls 50530->50535 50534 466600 33 API calls 50537 46b77c 50534->50537 50538 46b82e 50535->50538 50837 47efd0 56 API calls 50538->50837 50544 468bb0 33 API calls 50543->50544 50545 468c83 50544->50545 50545->50471 50547 468bdf 50546->50547 50548 4078f4 33 API calls 50547->50548 50551 468c20 50547->50551 50549 468c18 50548->50549 51090 453344 18 API calls 50549->51090 50552 403400 4 API calls 50551->50552 50553 468c38 50552->50553 50553->50486 50555 46ace5 50554->50555 50557 46ace0 50554->50557 51176 469a80 60 API calls 50555->51176 50556 46ace3 50556->50486 50557->50556 51091 46a740 50557->51091 50559 46aced 50559->50486 50562 403400 4 API calls 50561->50562 50563 469f4a 50562->50563 51553 47dd00 50563->51553 50565 469fad 50566 469fb1 50565->50566 50567 469fca 50565->50567 51560 466800 50566->51560 50569 469fbb 50567->50569 51563 494c90 18 API calls 50567->51563 50571 46a25e 50569->50571 50574 46a154 50569->50574 50575 46a0e9 50569->50575 50572 403420 4 API calls 50571->50572 50577 46a288 50572->50577 50573 469fe6 50573->50569 50578 469fee 50573->50578 50576 403494 4 API calls 50574->50576 50579 403494 4 API calls 50575->50579 50581 46a161 50576->50581 50577->50489 50582 46af68 37 API calls 50578->50582 50580 46a0f6 50579->50580 50583 40357c 18 API calls 50580->50583 50584 40357c 18 API calls 50581->50584 50591 469ffb 50582->50591 50585 46a103 50583->50585 50586 46a16e 50584->50586 50587 40357c 18 API calls 50585->50587 50588 40357c 18 API calls 50586->50588 50589 46a110 50587->50589 50590 46a17b 50588->50590 50592 40357c 18 API calls 50589->50592 50593 40357c 18 API calls 50590->50593 50596 46a024 SetActiveWindow 50591->50596 50597 46a03c 50591->50597 50594 46a11d 50592->50594 50595 46a188 50593->50595 50598 466800 34 API calls 50594->50598 50599 40357c 18 API calls 50595->50599 50596->50597 51564 42f560 50597->51564 50600 46a12b 50598->50600 50601 46a196 50599->50601 50603 40357c 18 API calls 50600->50603 50604 414b18 18 API calls 50601->50604 50606 46a134 50603->50606 50607 46a152 50604->50607 50609 40357c 18 API calls 50606->50609 51581 466b38 50607->51581 50612 46a141 50609->50612 50611 46a08d 50614 46ade4 35 API calls 50611->50614 50613 414b18 18 API calls 50612->50613 50613->50607 50615 46a0bf 50614->50615 50615->50489 50623 468c74 33 API calls 50622->50623 50624 46af80 50623->50624 50625 46afa2 50624->50625 50626 4652cc 21 API calls 50624->50626 51766 4652cc 50625->51766 50626->50625 50630 46afba 50631 46ade4 35 API calls 50630->50631 50632 46aff2 50631->50632 50633 414b18 18 API calls 50632->50633 50634 46b006 50633->50634 50635 46b012 50634->50635 50636 46b03c 50634->50636 50637 414b18 18 API calls 50635->50637 50639 46b05b 50636->50639 50640 46b085 50636->50640 50638 46b026 50637->50638 50641 414b18 18 API calls 50638->50641 50642 414b18 18 API calls 50639->50642 50643 414b18 18 API calls 50640->50643 50645 46b03a 50641->50645 50646 46b06f 50642->50646 50644 46b099 50643->50644 50647 414b18 18 API calls 50644->50647 50648 414b18 18 API calls 50646->50648 50647->50645 50648->50645 50700 46c424 62 API calls 50699->50700 50701 4830c7 50700->50701 50702 4830d0 50701->50702 52042 408be0 19 API calls 50701->52042 50704 414ae8 18 API calls 50702->50704 50705 4830e0 50704->50705 50706 403450 18 API calls 50705->50706 50707 4830ed 50706->50707 51844 46c77c 50707->51844 50710 4830fd 50712 414ae8 18 API calls 50710->50712 50713 48310d 50712->50713 50714 403450 18 API calls 50713->50714 50715 48311a 50714->50715 50716 469868 SendMessageA 50715->50716 50717 483133 50716->50717 50718 483184 50717->50718 52044 479e18 37 API calls 50717->52044 51873 4241dc IsIconic 50718->51873 50722 48319f SetActiveWindow 50723 4831b4 50722->50723 51881 4824b4 50723->51881 50772->50468 50773->50470 50774->50470 50775->50470 53697 43d9c8 50776->53697 50779 494dcc 53702 431bd0 50779->53702 50780 494e52 50781 494e61 50780->50781 53735 4945c8 18 API calls 50780->53735 50781->50486 50790 494e16 53733 49465c 18 API calls 50790->53733 50792 494e2a 53734 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50792->53734 50794 494e4a 50794->50486 50795->50478 50797 457f41 50796->50797 50798 457f61 50797->50798 50799 4078f4 33 API calls 50797->50799 50800 403400 4 API calls 50798->50800 50801 457f59 50799->50801 50802 457f76 50800->50802 50803 457d10 38 API calls 50801->50803 50802->50497 50803->50798 50812->50486 50838 46c4bc 50813->50838 50816 414ae8 50817 414af6 50816->50817 50818 4034e0 18 API calls 50817->50818 50819 414b03 50818->50819 50819->50514 50820->50527 50822 46661a 50821->50822 51041 4078f4 50822->51041 51084 42cccc 50830->51084 50833 451458 50834 451428 18 API calls 50833->50834 50835 451474 50834->50835 50836 47efd0 56 API calls 50835->50836 50836->50523 50837->50516 50839 414ae8 18 API calls 50838->50839 50840 46c4f0 50839->50840 50899 466898 50840->50899 50844 46c502 50845 46c511 50844->50845 50848 46c52a 50844->50848 50968 47efd0 56 API calls 50845->50968 50847 403420 4 API calls 50850 46b702 50847->50850 50849 46c571 50848->50849 50851 46c558 50848->50851 50852 46c5d6 50849->50852 50857 46c575 50849->50857 50850->50511 50850->50816 50969 47efd0 56 API calls 50851->50969 50971 42cb4c CharNextA 50852->50971 50855 46c5e5 50856 46c5e9 50855->50856 50861 46c602 50855->50861 50972 47efd0 56 API calls 50856->50972 50859 46c5bd 50857->50859 50857->50861 50970 47efd0 56 API calls 50859->50970 50860 46c626 50973 47efd0 56 API calls 50860->50973 50861->50860 50913 466a08 50861->50913 50866 46c525 50866->50847 50869 46c63f 50921 403778 50869->50921 50874 46c666 50974 466a94 18 API calls 50874->50974 50875 46c697 50932 42c8cc 50875->50932 50878 46c679 50880 451458 18 API calls 50878->50880 50882 46c686 50880->50882 50975 47efd0 56 API calls 50882->50975 50903 4668b2 50899->50903 50900 406bb0 18 API calls 50900->50903 50902 42cbc0 20 API calls 50902->50903 50903->50900 50903->50902 50904 403450 18 API calls 50903->50904 50905 4668fb 50903->50905 50978 42caac 50903->50978 50904->50903 50906 403420 4 API calls 50905->50906 50907 466915 50906->50907 50908 414b18 50907->50908 50909 414ae8 18 API calls 50908->50909 50910 414b3c 50909->50910 50911 403400 4 API calls 50910->50911 50912 414b6d 50911->50912 50912->50844 50914 466a12 50913->50914 50915 466a25 50914->50915 50994 42cb3c CharNextA 50914->50994 50915->50860 50917 466a38 50915->50917 50918 466a42 50917->50918 50919 466a6f 50918->50919 50995 42cb3c CharNextA 50918->50995 50919->50860 50919->50869 50922 4037aa 50921->50922 50923 40377d 50921->50923 50924 403400 4 API calls 50922->50924 50923->50922 50925 403791 50923->50925 50927 4037a0 50924->50927 50926 4034e0 18 API calls 50925->50926 50926->50927 50928 42c99c 50927->50928 50929 42c9f5 50928->50929 50930 42c9b2 50928->50930 50929->50874 50929->50875 50930->50929 50996 42cb3c CharNextA 50930->50996 50997 42c674 50932->50997 50968->50866 50969->50866 50970->50866 50971->50855 50972->50866 50973->50866 50974->50878 50975->50866 50979 403494 4 API calls 50978->50979 50980 42cabc 50979->50980 50981 403744 18 API calls 50980->50981 50983 42caf2 50980->50983 50987 42c444 IsDBCSLeadByte 50980->50987 50981->50980 50984 42cb36 50983->50984 50988 4037b8 50983->50988 50993 42c444 IsDBCSLeadByte 50983->50993 50984->50903 50987->50980 50989 403744 18 API calls 50988->50989 50991 4037c6 50989->50991 50990 4037fc 50990->50983 50991->50990 50992 4038a4 18 API calls 50991->50992 50992->50990 50993->50983 50994->50914 50995->50918 50996->50930 51000 42c67c 50997->51000 51003 42c68d 51000->51003 51001 42c6f1 51004 42c6ec 51001->51004 51008 42c444 IsDBCSLeadByte 51001->51008 51003->51001 51006 42c6ab 51003->51006 51006->51004 51007 42c444 IsDBCSLeadByte 51006->51007 51007->51006 51008->51004 51044 407908 51041->51044 51045 407925 51044->51045 51052 4075b8 51045->51052 51048 407951 51050 4034e0 18 API calls 51048->51050 51051 407903 51050->51051 51051->50534 51055 4075d3 51052->51055 51053 4075e5 51053->51048 51057 4069a0 19 API calls 51053->51057 51055->51053 51058 4076da 33 API calls 51055->51058 51059 4075ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51055->51059 51057->51048 51058->51055 51059->51055 51085 42cbc0 20 API calls 51084->51085 51086 42ccee 51085->51086 51087 42ccf6 GetFileAttributesA 51086->51087 51088 403400 4 API calls 51087->51088 51089 42cd13 51088->51089 51089->50523 51089->50833 51090->50551 51093 46a787 51091->51093 51092 46abff 51095 46ac1a 51092->51095 51096 46ac4b 51092->51096 51093->51092 51094 46a842 51093->51094 51097 403494 4 API calls 51093->51097 51100 46a863 51094->51100 51101 46a8a4 51094->51101 51098 403494 4 API calls 51095->51098 51099 403494 4 API calls 51096->51099 51103 46a7c6 51097->51103 51104 46ac28 51098->51104 51105 46ac59 51099->51105 51102 403494 4 API calls 51100->51102 51109 403400 4 API calls 51101->51109 51106 46a871 51102->51106 51107 414ae8 18 API calls 51103->51107 51203 46915c 26 API calls 51104->51203 51204 46915c 26 API calls 51105->51204 51111 414ae8 18 API calls 51106->51111 51112 46a7e7 51107->51112 51113 46a8a2 51109->51113 51115 46a892 51111->51115 51177 403634 51112->51177 51132 46a988 51113->51132 51183 469868 51113->51183 51114 46ac36 51117 403400 4 API calls 51114->51117 51118 403634 18 API calls 51115->51118 51121 46ac7c 51117->51121 51118->51113 51126 403400 4 API calls 51121->51126 51122 46aa10 51124 403400 4 API calls 51122->51124 51140 46aa0e 51124->51140 51125 46a8c4 51129 46a902 51125->51129 51130 46a8ca 51125->51130 51127 46ac84 51126->51127 51131 403420 4 API calls 51127->51131 51133 403400 4 API calls 51129->51133 51134 403494 4 API calls 51130->51134 51136 46ac91 51131->51136 51132->51122 51137 46a9cf 51132->51137 51138 46a900 51133->51138 51135 46a8d8 51134->51135 51189 47c26c 51135->51189 51136->50556 51143 403494 4 API calls 51137->51143 51192 469b5c 51138->51192 51198 469ca4 57 API calls 51140->51198 51147 46a9dd 51143->51147 51145 46aa39 51153 46aa44 51145->51153 51154 46aa9a 51145->51154 51146 46a8f0 51149 403634 18 API calls 51146->51149 51150 414ae8 18 API calls 51147->51150 51149->51138 51152 46a9fe 51150->51152 51155 403634 18 API calls 51152->51155 51157 403494 4 API calls 51153->51157 51156 403400 4 API calls 51154->51156 51155->51140 51163 46aaa2 51156->51163 51165 46aa52 51157->51165 51158 46a929 51159 46a934 51158->51159 51160 46a98a 51158->51160 51162 403494 4 API calls 51159->51162 51161 403400 4 API calls 51160->51161 51161->51132 51167 46a942 51162->51167 51175 46ab4b 51163->51175 51199 494c90 18 API calls 51163->51199 51165->51163 51169 403634 18 API calls 51165->51169 51171 46aa98 51165->51171 51166 46aac5 51166->51175 51200 494f3c 32 API calls 51166->51200 51167->51132 51170 403634 18 API calls 51167->51170 51169->51165 51170->51167 51171->51163 51173 46abec 51202 429144 SendMessageA SendMessageA 51173->51202 51201 4290f4 SendMessageA 51175->51201 51176->50559 51178 40363c 51177->51178 51179 4034bc 18 API calls 51178->51179 51180 40364f 51179->51180 51181 403450 18 API calls 51180->51181 51182 403677 51181->51182 51205 42a040 SendMessageA 51183->51205 51185 469897 51185->51125 51186 469877 51186->51185 51206 42a040 SendMessageA 51186->51206 51188 469887 51188->51125 51207 47c2b4 51189->51207 51196 469b89 51192->51196 51193 469beb 51194 403400 4 API calls 51193->51194 51195 469c00 51194->51195 51195->51158 51196->51193 51552 469ae0 57 API calls 51196->51552 51198->51145 51199->51166 51200->51175 51201->51173 51202->51092 51203->51114 51204->51114 51205->51186 51206->51188 51208 403494 4 API calls 51207->51208 51215 47c2e7 51208->51215 51209 47c3f9 51210 403420 4 API calls 51209->51210 51211 47c289 51210->51211 51211->51146 51213 403778 18 API calls 51213->51215 51215->51209 51215->51213 51218 4037b8 18 API calls 51215->51218 51219 47b100 51215->51219 51463 453344 18 API calls 51215->51463 51464 403800 51215->51464 51468 42c97c CharPrevA 51215->51468 51218->51215 51220 47b152 51219->51220 51221 47b130 51219->51221 51222 47b172 51220->51222 51223 47b160 51220->51223 51221->51220 51473 47a030 33 API calls 51221->51473 51226 47b1d5 51222->51226 51227 47b180 51222->51227 51224 403494 4 API calls 51223->51224 51278 47b16d 51224->51278 51236 47b1f6 51226->51236 51237 47b1e3 51226->51237 51229 47b1af 51227->51229 51230 47b189 51227->51230 51228 403400 4 API calls 51231 47baf8 51228->51231 51233 47b1c2 51229->51233 51475 453344 18 API calls 51229->51475 51232 47b19c 51230->51232 51474 453344 18 API calls 51230->51474 51235 403400 4 API calls 51231->51235 51239 403494 4 API calls 51232->51239 51234 403494 4 API calls 51233->51234 51234->51278 51241 47bb00 51235->51241 51243 47b217 51236->51243 51244 47b204 51236->51244 51242 403494 4 API calls 51237->51242 51239->51278 51241->51215 51242->51278 51246 47b267 51243->51246 51247 47b225 51243->51247 51245 403494 4 API calls 51244->51245 51245->51278 51254 47b275 51246->51254 51255 47b288 51246->51255 51248 47b241 51247->51248 51249 47b22e 51247->51249 51251 47b254 51248->51251 51476 453344 18 API calls 51248->51476 51250 403494 4 API calls 51249->51250 51250->51278 51253 403494 4 API calls 51251->51253 51253->51278 51256 403494 4 API calls 51254->51256 51257 47b296 51255->51257 51258 47b2a9 51255->51258 51256->51278 51259 403494 4 API calls 51257->51259 51260 47b2b7 51258->51260 51261 47b2ca 51258->51261 51259->51278 51262 403494 4 API calls 51260->51262 51263 47b2eb 51261->51263 51264 47b2d8 51261->51264 51262->51278 51266 47b327 51263->51266 51267 47b2f9 51263->51267 51265 403494 4 API calls 51264->51265 51265->51278 51272 47b335 51266->51272 51275 47b364 51266->51275 51268 47b315 51267->51268 51269 47b302 51267->51269 51271 47c26c 57 API calls 51268->51271 51270 403494 4 API calls 51269->51270 51270->51278 51271->51278 51273 47b351 51272->51273 51274 47b33e 51272->51274 51277 403494 4 API calls 51273->51277 51276 403494 4 API calls 51274->51276 51279 47b372 51275->51279 51280 47b3a0 51275->51280 51276->51278 51277->51278 51278->51228 51281 47b38e 51279->51281 51282 47b37b 51279->51282 51285 47b3ae 51280->51285 51286 47b3dd 51280->51286 51463->51215 51465 40382f 51464->51465 51466 403804 51464->51466 51465->51215 51467 4038a4 18 API calls 51466->51467 51467->51465 51468->51215 51473->51221 51474->51232 51475->51233 51476->51251 51552->51196 51554 47dd56 51553->51554 51555 47dd19 51553->51555 51554->50565 51585 455d0c 51555->51585 51559 47dd6d 51559->50565 51704 466714 51560->51704 51563->50573 51565 42f56c 51564->51565 51566 42f58f GetActiveWindow GetFocus 51565->51566 51567 41eea4 2 API calls 51566->51567 51568 42f5a6 51567->51568 51569 42f5c3 51568->51569 51570 42f5b3 RegisterClassA 51568->51570 51571 42f652 SetFocus 51569->51571 51572 42f5d1 CreateWindowExA 51569->51572 51570->51569 51573 403400 4 API calls 51571->51573 51572->51571 51574 42f604 51572->51574 51575 42f66e 51573->51575 51735 42427c 51574->51735 51580 494f3c 32 API calls 51575->51580 51577 42f62c 51578 42f634 CreateWindowExA 51577->51578 51578->51571 51579 42f64a ShowWindow 51578->51579 51579->51571 51580->50611 51741 44b514 51581->51741 51586 455d1d 51585->51586 51587 455d21 51586->51587 51588 455d2a 51586->51588 51611 455a10 51587->51611 51619 455af0 43 API calls 51588->51619 51591 455d27 51591->51554 51592 47d970 51591->51592 51597 47da6c 51592->51597 51599 47d9b0 51592->51599 51593 403420 4 API calls 51594 47db4f 51593->51594 51594->51559 51604 47dabd 51597->51604 51607 47da0f 51597->51607 51674 479630 51597->51674 51599->51597 51600 47da18 51599->51600 51603 47c26c 57 API calls 51599->51603 51599->51607 51648 479770 51599->51648 51659 4798d4 51599->51659 51600->51599 51605 47c26c 57 API calls 51600->51605 51610 47da59 51600->51610 51663 42c92c 51600->51663 51668 42c954 51600->51668 51673 47d67c 66 API calls 51600->51673 51601 47c26c 57 API calls 51601->51604 51602 454100 34 API calls 51602->51604 51603->51599 51604->51597 51604->51601 51604->51602 51604->51610 51605->51600 51607->51593 51610->51607 51620 42de1c 51611->51620 51613 455a2d 51614 455a7b 51613->51614 51623 455944 51613->51623 51614->51591 51617 455944 20 API calls 51618 455a5c RegCloseKey 51617->51618 51618->51591 51619->51591 51621 42de27 51620->51621 51622 42de2d RegOpenKeyExA 51620->51622 51621->51622 51622->51613 51628 42dd58 51623->51628 51625 403420 4 API calls 51626 4559f6 51625->51626 51626->51617 51627 45596c 51627->51625 51631 42dc00 51628->51631 51632 42dc26 RegQueryValueExA 51631->51632 51637 42dc49 51632->51637 51647 42dc6b 51632->51647 51633 403400 4 API calls 51635 42dd37 51633->51635 51634 42dc63 51636 403400 4 API calls 51634->51636 51635->51627 51636->51647 51637->51634 51638 4034e0 18 API calls 51637->51638 51639 403744 18 API calls 51637->51639 51637->51647 51638->51637 51640 42dca0 RegQueryValueExA 51639->51640 51640->51632 51641 42dcbc 51640->51641 51642 4038a4 18 API calls 51641->51642 51641->51647 51643 42dcfe 51642->51643 51644 42dd10 51643->51644 51646 403744 18 API calls 51643->51646 51645 403450 18 API calls 51644->51645 51645->51647 51646->51644 51647->51633 51649 479786 51648->51649 51650 479782 51648->51650 51651 403450 18 API calls 51649->51651 51650->51599 51652 479793 51651->51652 51653 4797b3 51652->51653 51654 479799 51652->51654 51656 479630 33 API calls 51653->51656 51655 479630 33 API calls 51654->51655 51657 4797af 51655->51657 51656->51657 51658 403400 4 API calls 51657->51658 51658->51650 51660 4798e0 51659->51660 51661 4798fb 51660->51661 51686 453344 18 API calls 51660->51686 51661->51599 51687 42c79c 51663->51687 51666 403778 18 API calls 51667 42c94e 51666->51667 51667->51600 51669 42c79c IsDBCSLeadByte 51668->51669 51670 42c964 51669->51670 51671 403778 18 API calls 51670->51671 51672 42c975 51671->51672 51672->51600 51673->51600 51675 47964b 51674->51675 51678 47967c 51675->51678 51685 47970a 51675->51685 51699 4794e4 33 API calls 51675->51699 51676 4796a1 51681 4796c2 51676->51681 51701 4794e4 33 API calls 51676->51701 51678->51676 51700 4794e4 33 API calls 51678->51700 51682 479702 51681->51682 51681->51685 51702 453344 18 API calls 51681->51702 51693 479368 51682->51693 51685->51597 51686->51661 51688 42c67c IsDBCSLeadByte 51687->51688 51690 42c7b1 51688->51690 51689 42c7fb 51689->51666 51690->51689 51692 42c444 IsDBCSLeadByte 51690->51692 51692->51690 51694 4793a3 51693->51694 51695 403450 18 API calls 51694->51695 51696 4793c8 51695->51696 51703 477a58 33 API calls 51696->51703 51698 479409 51698->51685 51699->51678 51700->51676 51701->51681 51702->51682 51703->51698 51705 403494 4 API calls 51704->51705 51706 466742 51705->51706 51721 42dbc8 51706->51721 51709 42dbc8 19 API calls 51710 466766 51709->51710 51711 466600 33 API calls 51710->51711 51712 466770 51711->51712 51713 42dbc8 19 API calls 51712->51713 51714 46677f 51713->51714 51724 466678 51714->51724 51717 42dbc8 19 API calls 51718 466798 51717->51718 51719 403400 4 API calls 51718->51719 51720 4667ad 51719->51720 51720->50569 51728 42db10 51721->51728 51725 466698 51724->51725 51726 4078f4 33 API calls 51725->51726 51727 4666e2 51726->51727 51727->51717 51729 42dbbb 51728->51729 51730 42db30 51728->51730 51729->51709 51730->51729 51731 4037b8 18 API calls 51730->51731 51733 403800 18 API calls 51730->51733 51734 42c444 IsDBCSLeadByte 51730->51734 51731->51730 51733->51730 51734->51730 51736 4242ae 51735->51736 51737 42428e GetWindowTextA 51735->51737 51739 403494 4 API calls 51736->51739 51738 4034e0 18 API calls 51737->51738 51740 4242ac 51738->51740 51739->51740 51740->51577 51744 44b38c 51741->51744 51745 44b3bf 51744->51745 51746 414ae8 18 API calls 51745->51746 51747 44b3d2 51746->51747 51748 44b3ff GetDC 51747->51748 51749 40357c 18 API calls 51747->51749 51750 41a1e8 19 API calls 51748->51750 51749->51748 51751 44b41f SelectObject 51750->51751 51752 44b430 51751->51752 51755 44b0c0 51752->51755 51754 44b444 ReleaseDC 51756 44b0d7 51755->51756 51757 44b16a 51756->51757 51758 44b153 51756->51758 51759 44b0ea 51756->51759 51757->51754 51761 44b163 DrawTextA 51758->51761 51759->51757 51760 402648 18 API calls 51759->51760 51761->51757 51769 4652d7 51766->51769 51767 4653b2 51777 46708c 51767->51777 51768 46536a 51768->51767 51795 4185b8 21 API calls 51768->51795 51769->51767 51772 465327 51769->51772 51789 421a1c 51769->51789 51772->51768 51773 465361 51772->51773 51774 46536c 51772->51774 51775 421a1c 21 API calls 51773->51775 51776 421a1c 21 API calls 51774->51776 51775->51768 51776->51768 51778 4670bc 51777->51778 51779 46709d 51777->51779 51778->50630 51780 414b18 18 API calls 51779->51780 51781 4670ab 51780->51781 51782 414b18 18 API calls 51781->51782 51782->51778 51790 421a74 51789->51790 51791 421a2a 51789->51791 51790->51772 51792 408cbc 19 API calls 51791->51792 51794 421a59 51791->51794 51792->51794 51794->51790 51796 421d28 SetFocus GetFocus 51794->51796 51795->51767 51796->51790 51845 46c7a5 51844->51845 51846 414ae8 18 API calls 51845->51846 51861 46c7f2 51845->51861 51847 46c7bb 51846->51847 52051 466924 20 API calls 51847->52051 51848 403420 4 API calls 51850 46c89c 51848->51850 51850->50710 52043 408be0 19 API calls 51850->52043 51851 46c7c3 51852 414b18 18 API calls 51851->51852 51853 46c7d1 51852->51853 51854 46c7de 51853->51854 51856 46c7f7 51853->51856 52052 47efd0 56 API calls 51854->52052 51857 46c80f 51856->51857 51859 466a08 CharNextA 51856->51859 52053 47efd0 56 API calls 51857->52053 51860 46c80b 51859->51860 51860->51857 51862 46c825 51860->51862 51861->51848 51863 46c841 51862->51863 51864 46c82b 51862->51864 51866 42c99c CharNextA 51863->51866 52054 47efd0 56 API calls 51864->52054 51867 46c84e 51866->51867 51867->51861 52055 466a94 18 API calls 51867->52055 51869 46c865 51870 451458 18 API calls 51869->51870 51871 46c872 51870->51871 52056 47efd0 56 API calls 51871->52056 51874 4241ed SetActiveWindow 51873->51874 51878 424223 51873->51878 52057 42364c 51874->52057 51878->50722 51878->50723 51879 42420a 51879->51878 51880 42421d SetFocus 51879->51880 51880->51878 51882 482505 51881->51882 51883 4824d7 51881->51883 51885 475bd0 51882->51885 52070 494cec 32 API calls 51883->52070 52071 457d10 51885->52071 52044->50718 52051->51851 52052->51861 52053->51861 52054->51861 52055->51869 52056->51861 52066 4235f8 SystemParametersInfoA 52057->52066 52060 423665 ShowWindow 52062 423670 52060->52062 52063 423677 52060->52063 52069 423628 SystemParametersInfoA 52062->52069 52065 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 52063->52065 52065->51879 52067 423616 52066->52067 52067->52060 52068 423628 SystemParametersInfoA 52067->52068 52068->52060 52069->52063 52070->51882 52072 457e44 52071->52072 52073 457d3c 52071->52073 52074 457e95 52072->52074 52547 45757c 20 API calls 52072->52547 52543 457a0c GetSystemTimeAsFileTime FileTimeToSystemTime 52073->52543 52077 403400 4 API calls 52074->52077 52079 457eaa 52077->52079 52078 457d44 52080 4078f4 33 API calls 52078->52080 52092 4072a8 52079->52092 52081 457db5 52080->52081 52544 457d00 34 API calls 52081->52544 52087 457dbd 52093 403738 52092->52093 52094 4072b2 SetCurrentDirectoryA 52093->52094 52543->52078 52544->52087 52547->52074 53736 431eec 53697->53736 53699 43d9f2 53700 403400 4 API calls 53699->53700 53701 43da76 53700->53701 53701->50779 53701->50780 53703 431bd6 53702->53703 53704 402648 18 API calls 53703->53704 53705 431c06 53704->53705 53706 4947f8 53705->53706 53707 4948cd 53706->53707 53708 494812 53706->53708 53713 494910 53707->53713 53708->53707 53710 433d6c 18 API calls 53708->53710 53712 403450 18 API calls 53708->53712 53741 408c0c 18 API calls 53708->53741 53742 431ca0 53708->53742 53710->53708 53712->53708 53714 49492c 53713->53714 53750 433d6c 53714->53750 53716 494931 53717 431ca0 18 API calls 53716->53717 53718 49493c 53717->53718 53719 43d594 53718->53719 53720 43d5c1 53719->53720 53721 43d5b3 53719->53721 53720->50790 53721->53720 53722 43d63d 53721->53722 53726 447084 18 API calls 53721->53726 53729 43d6f7 53722->53729 53753 447084 53722->53753 53724 43d688 53759 43dd50 53724->53759 53726->53721 53727 43d8fd 53727->53720 53779 447024 18 API calls 53727->53779 53729->53727 53730 43d8de 53729->53730 53777 447024 18 API calls 53729->53777 53778 447024 18 API calls 53730->53778 53733->50792 53734->50794 53735->50781 53737 403494 4 API calls 53736->53737 53739 431efb 53737->53739 53738 431f25 53738->53699 53739->53738 53740 403744 18 API calls 53739->53740 53740->53739 53741->53708 53743 431cc0 53742->53743 53744 431cae 53742->53744 53746 431ce2 53743->53746 53749 431c40 18 API calls 53743->53749 53748 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53744->53748 53746->53708 53748->53743 53749->53746 53751 402648 18 API calls 53750->53751 53752 433d7b 53751->53752 53752->53716 53754 4470a3 53753->53754 53755 4470aa 53753->53755 53780 446e30 18 API calls 53754->53780 53757 431ca0 18 API calls 53755->53757 53758 4470ba 53757->53758 53758->53724 53760 43dd6c 53759->53760 53766 43dd99 53759->53766 53761 402660 4 API calls 53760->53761 53760->53766 53761->53760 53762 43ddce 53762->53729 53764 43fea5 53764->53762 53790 447024 18 API calls 53764->53790 53765 43c938 18 API calls 53765->53766 53766->53762 53766->53764 53766->53765 53767 447024 18 API calls 53766->53767 53769 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53766->53769 53772 446e30 18 API calls 53766->53772 53774 433d18 18 API calls 53766->53774 53775 436650 18 API calls 53766->53775 53776 431c40 18 API calls 53766->53776 53781 4396e0 53766->53781 53787 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53766->53787 53788 43dc48 32 API calls 53766->53788 53789 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53766->53789 53767->53766 53769->53766 53772->53766 53774->53766 53775->53766 53776->53766 53777->53729 53778->53727 53779->53727 53780->53755 53782 4396e9 53781->53782 53787->53766 53788->53766 53789->53766 53790->53764 53793 41fb58 53794 41fb61 53793->53794 53797 41fdfc 53794->53797 53796 41fb6e 53798 41feee 53797->53798 53799 41fe13 53797->53799 53798->53796 53799->53798 53818 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53799->53818 53801 41fe49 53802 41fe73 53801->53802 53803 41fe4d 53801->53803 53828 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53802->53828 53819 41fb9c 53803->53819 53807 41fe81 53809 41fe85 53807->53809 53810 41feab 53807->53810 53808 41fb9c 10 API calls 53813 41fe71 53808->53813 53811 41fb9c 10 API calls 53809->53811 53812 41fb9c 10 API calls 53810->53812 53814 41fe97 53811->53814 53815 41febd 53812->53815 53813->53796 53817 41fb9c 10 API calls 53814->53817 53816 41fb9c 10 API calls 53815->53816 53816->53813 53817->53813 53818->53801 53820 41fbb7 53819->53820 53821 41fbcd 53820->53821 53822 41f93c 4 API calls 53820->53822 53829 41f93c 53821->53829 53822->53821 53824 41fc15 53825 41fc38 SetScrollInfo 53824->53825 53837 41fa9c 53825->53837 53828->53807 53830 4181e0 53829->53830 53831 41f959 GetWindowLongA 53830->53831 53832 41f996 53831->53832 53833 41f976 53831->53833 53849 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53832->53849 53848 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53833->53848 53836 41f982 53836->53824 53838 41faaa 53837->53838 53839 41fab2 53837->53839 53838->53808 53840 41faf1 53839->53840 53841 41fae1 53839->53841 53845 41faef 53839->53845 53851 417e48 IsWindowVisible ScrollWindow SetWindowPos 53840->53851 53850 417e48 IsWindowVisible ScrollWindow SetWindowPos 53841->53850 53842 41fb31 GetScrollPos 53842->53838 53846 41fb3c 53842->53846 53845->53842 53847 41fb4b SetScrollPos 53846->53847 53847->53838 53848->53836 53849->53836 53850->53845 53851->53845 53852 420598 53853 4205ab 53852->53853 53873 415b30 53853->53873 53855 4206f2 53856 420709 53855->53856 53880 4146d4 KiUserCallbackDispatcher 53855->53880 53860 420720 53856->53860 53881 414718 KiUserCallbackDispatcher 53856->53881 53857 420651 53878 420848 34 API calls 53857->53878 53858 4205e6 53858->53855 53858->53857 53866 420642 MulDiv 53858->53866 53862 420742 53860->53862 53882 420060 12 API calls 53860->53882 53864 42066a 53864->53855 53879 420060 12 API calls 53864->53879 53877 41a304 19 API calls 53866->53877 53869 420687 53870 4206a3 MulDiv 53869->53870 53871 4206c6 53869->53871 53870->53871 53871->53855 53872 4206cf MulDiv 53871->53872 53872->53855 53874 415b42 53873->53874 53883 414470 53874->53883 53876 415b5a 53876->53858 53877->53857 53878->53864 53879->53869 53880->53856 53881->53860 53882->53862 53884 41448a 53883->53884 53887 410458 53884->53887 53886 4144a0 53886->53876 53890 40dca4 53887->53890 53889 41045e 53889->53886 53891 40dd06 53890->53891 53892 40dcb7 53890->53892 53897 40dd14 53891->53897 53895 40dd14 33 API calls 53892->53895 53896 40dce1 53895->53896 53896->53889 53899 40dd24 53897->53899 53900 40dd3a 53899->53900 53909 40e09c 53899->53909 53925 40d5e0 53899->53925 53928 40df4c 53900->53928 53903 40d5e0 19 API calls 53904 40dd42 53903->53904 53904->53903 53905 40ddae 53904->53905 53931 40db60 53904->53931 53906 40df4c 19 API calls 53905->53906 53908 40dd10 53906->53908 53908->53889 53945 40e96c 53909->53945 53911 403778 18 API calls 53913 40e0d7 53911->53913 53912 40e18d 53914 40e1b7 53912->53914 53915 40e1a8 53912->53915 53913->53911 53913->53912 54008 40d774 19 API calls 53913->54008 54009 40e080 19 API calls 53913->54009 54005 40ba24 53914->54005 53954 40e3c0 53915->53954 53921 40e1b5 53922 403400 4 API calls 53921->53922 53923 40e25c 53922->53923 53923->53899 53926 40ea08 19 API calls 53925->53926 53927 40d5ea 53926->53927 53927->53899 54042 40d4bc 53928->54042 54051 40df54 53931->54051 53934 40e96c 19 API calls 53935 40db9e 53934->53935 53936 40e96c 19 API calls 53935->53936 53937 40dba9 53936->53937 53938 40dbc4 53937->53938 53939 40dbbb 53937->53939 53944 40dbc1 53937->53944 54058 40d9d8 53938->54058 54061 40dac8 33 API calls 53939->54061 53942 403420 4 API calls 53943 40dc8f 53942->53943 53943->53904 53944->53942 54011 40d780 53945->54011 53948 4034e0 18 API calls 53949 40e98f 53948->53949 53950 403744 18 API calls 53949->53950 53951 40e996 53950->53951 53952 40d780 19 API calls 53951->53952 53953 40e9a4 53952->53953 53953->53913 53955 40e3ec 53954->53955 53957 40e3f6 53954->53957 54016 40d440 19 API calls 53955->54016 53958 40e511 53957->53958 53959 40e495 53957->53959 53960 40e4f6 53957->53960 53961 40e576 53957->53961 53962 40e438 53957->53962 53963 40e4d9 53957->53963 53964 40e47a 53957->53964 53965 40e4bb 53957->53965 53976 40e45c 53957->53976 53968 40d764 19 API calls 53958->53968 54024 40de24 19 API calls 53959->54024 54029 40e890 19 API calls 53960->54029 53972 40d764 19 API calls 53961->53972 54017 40d764 53962->54017 54027 40e9a8 19 API calls 53963->54027 54023 40d818 19 API calls 53964->54023 54026 40dde4 19 API calls 53965->54026 53977 40e519 53968->53977 53971 403400 4 API calls 53978 40e5eb 53971->53978 53979 40e57e 53972->53979 53975 40e4a0 54025 40d470 19 API calls 53975->54025 53976->53971 53985 40e523 53977->53985 53986 40e51d 53977->53986 53978->53921 53987 40e582 53979->53987 53988 40e59b 53979->53988 53980 40e4e4 54028 409d38 18 API calls 53980->54028 53982 40e461 54022 40ded8 19 API calls 53982->54022 53983 40e444 54020 40de24 19 API calls 53983->54020 54030 40ea08 53985->54030 53993 40e521 53986->53993 53994 40e53c 53986->53994 53996 40ea08 19 API calls 53987->53996 54036 40de24 19 API calls 53988->54036 54034 40de24 19 API calls 53993->54034 53997 40ea08 19 API calls 53994->53997 53996->53976 53999 40e544 53997->53999 53998 40e44f 54021 40e26c 19 API calls 53998->54021 54033 40d8a0 19 API calls 53999->54033 54002 40e566 54035 40e2d4 18 API calls 54002->54035 54037 40b9d0 54005->54037 54008->53913 54009->53913 54010 40d774 19 API calls 54010->53921 54014 40d78b 54011->54014 54012 40d7c5 54012->53948 54014->54012 54015 40d7cc 19 API calls 54014->54015 54015->54014 54016->53957 54018 40ea08 19 API calls 54017->54018 54019 40d76e 54018->54019 54019->53982 54019->53983 54020->53998 54021->53976 54022->53976 54023->53976 54024->53975 54025->53976 54026->53976 54027->53980 54028->53976 54029->53976 54031 40d780 19 API calls 54030->54031 54032 40ea15 54031->54032 54032->53976 54033->53976 54034->54002 54035->53976 54036->53976 54038 40b9e2 54037->54038 54040 40ba07 54037->54040 54038->54040 54041 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54038->54041 54040->53921 54040->54010 54041->54040 54043 40ea08 19 API calls 54042->54043 54044 40d4c9 54043->54044 54045 40d4dc 54044->54045 54049 40eb0c 19 API calls 54044->54049 54045->53904 54047 40d4d7 54050 40d458 19 API calls 54047->54050 54049->54047 54050->54045 54052 40d764 19 API calls 54051->54052 54053 40df6b 54052->54053 54054 40db93 54053->54054 54055 40ea08 19 API calls 54053->54055 54054->53934 54056 40df78 54055->54056 54056->54054 54062 40ded8 19 API calls 54056->54062 54063 40ab7c 33 API calls 54058->54063 54060 40da00 54060->53944 54061->53944 54062->54054 54063->54060 56265 41363c SetWindowLongA GetWindowLongA 56266 413699 SetPropA SetPropA 56265->56266 56267 41367b GetWindowLongA 56265->56267 56272 41f39c 56266->56272 56267->56266 56268 41368a SetWindowLongA 56267->56268 56268->56266 56277 415270 56272->56277 56284 423c0c 56272->56284 56378 423a84 56272->56378 56273 4136e9 56278 41527d 56277->56278 56279 4152e3 56278->56279 56280 4152d8 56278->56280 56283 4152e1 56278->56283 56385 424b8c 13 API calls 56279->56385 56280->56283 56386 41505c 60 API calls 56280->56386 56283->56273 56287 423c42 56284->56287 56303 423c63 56287->56303 56387 423b68 56287->56387 56288 423cec 56290 423cf3 56288->56290 56291 423d27 56288->56291 56289 423c8d 56292 423c93 56289->56292 56293 423d50 56289->56293 56298 423cf9 56290->56298 56336 423fb1 56290->56336 56294 423d32 56291->56294 56295 42409a IsIconic 56291->56295 56299 423cc5 56292->56299 56300 423c98 56292->56300 56296 423d62 56293->56296 56297 423d6b 56293->56297 56301 4240d6 56294->56301 56302 423d3b 56294->56302 56295->56303 56307 4240ae GetFocus 56295->56307 56304 423d78 56296->56304 56305 423d69 56296->56305 56394 424194 11 API calls 56297->56394 56308 423f13 SendMessageA 56298->56308 56309 423d07 56298->56309 56299->56303 56327 423cde 56299->56327 56328 423e3f 56299->56328 56310 423df6 56300->56310 56311 423c9e 56300->56311 56408 424850 WinHelpA PostMessageA 56301->56408 56313 4240ed 56302->56313 56337 423cc0 56302->56337 56303->56273 56314 4241dc 11 API calls 56304->56314 56395 423b84 NtdllDefWindowProc_A 56305->56395 56307->56303 56315 4240bf 56307->56315 56308->56303 56309->56303 56309->56337 56358 423f56 56309->56358 56399 423b84 NtdllDefWindowProc_A 56310->56399 56316 423ca7 56311->56316 56317 423e1e PostMessageA 56311->56317 56325 4240f6 56313->56325 56326 42410b 56313->56326 56314->56303 56407 41eff4 GetCurrentThreadId EnumThreadWindows 56315->56407 56322 423cb0 56316->56322 56323 423ea5 56316->56323 56400 423b84 NtdllDefWindowProc_A 56317->56400 56331 423cb9 56322->56331 56332 423dce IsIconic 56322->56332 56333 423eae 56323->56333 56334 423edf 56323->56334 56324 423e39 56324->56303 56335 4244d4 19 API calls 56325->56335 56409 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 56326->56409 56327->56337 56338 423e0b 56327->56338 56391 423b84 NtdllDefWindowProc_A 56328->56391 56330 4240c6 56330->56303 56342 4240ce SetFocus 56330->56342 56331->56337 56343 423d91 56331->56343 56345 423dea 56332->56345 56346 423dde 56332->56346 56402 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56333->56402 56392 423b84 NtdllDefWindowProc_A 56334->56392 56335->56303 56336->56303 56352 423fd7 IsWindowEnabled 56336->56352 56337->56303 56393 423b84 NtdllDefWindowProc_A 56337->56393 56340 424178 26 API calls 56338->56340 56340->56303 56341 423e45 56349 423e83 56341->56349 56350 423e61 56341->56350 56342->56303 56343->56303 56396 422c4c ShowWindow PostMessageA PostQuitMessage 56343->56396 56398 423b84 NtdllDefWindowProc_A 56345->56398 56397 423bc0 29 API calls 56346->56397 56359 423a84 6 API calls 56349->56359 56401 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56350->56401 56351 423eb6 56361 423ec8 56351->56361 56368 41ef58 6 API calls 56351->56368 56352->56303 56362 423fe5 56352->56362 56355 423ee5 56356 423efd 56355->56356 56363 41eea4 2 API calls 56355->56363 56364 423a84 6 API calls 56356->56364 56358->56303 56366 423f78 IsWindowEnabled 56358->56366 56367 423e8b PostMessageA 56359->56367 56403 423b84 NtdllDefWindowProc_A 56361->56403 56371 423fec IsWindowVisible 56362->56371 56363->56356 56364->56303 56365 423e69 PostMessageA 56365->56303 56366->56303 56370 423f86 56366->56370 56367->56303 56368->56361 56404 412310 21 API calls 56370->56404 56371->56303 56373 423ffa GetFocus 56371->56373 56374 4181e0 56373->56374 56375 42400f SetFocus 56374->56375 56405 415240 56375->56405 56379 423b0d 56378->56379 56380 423a94 56378->56380 56379->56273 56380->56379 56381 423a9a EnumWindows 56380->56381 56381->56379 56382 423ab6 GetWindow GetWindowLongA 56381->56382 56410 423a1c GetWindow 56381->56410 56383 423ad5 56382->56383 56383->56379 56384 423b01 SetWindowPos 56383->56384 56384->56379 56384->56383 56385->56283 56386->56283 56388 423b72 56387->56388 56389 423b7d 56387->56389 56388->56389 56390 408720 21 API calls 56388->56390 56389->56288 56389->56289 56390->56389 56391->56341 56392->56355 56393->56303 56394->56303 56395->56303 56396->56303 56397->56303 56398->56303 56399->56303 56400->56324 56401->56365 56402->56351 56403->56303 56404->56303 56406 41525b SetFocus 56405->56406 56406->56303 56407->56330 56408->56324 56409->56324 56411 423a3d GetWindowLongA 56410->56411 56412 423a49 56410->56412 56411->56412 56413 4809f7 56414 480a00 56413->56414 56416 480a2b 56413->56416 56415 480a1d 56414->56415 56414->56416 56785 476c50 203 API calls 56415->56785 56417 480a6a 56416->56417 56787 47f4a4 18 API calls 56416->56787 56418 480a8e 56417->56418 56421 480a81 56417->56421 56422 480a83 56417->56422 56427 480aca 56418->56427 56428 480aac 56418->56428 56431 47f4e8 56 API calls 56421->56431 56789 47f57c 56 API calls 56422->56789 56423 480a22 56423->56416 56786 408be0 19 API calls 56423->56786 56424 480a5d 56788 47f50c 56 API calls 56424->56788 56792 47f33c 38 API calls 56427->56792 56432 480ac1 56428->56432 56790 47f50c 56 API calls 56428->56790 56431->56418 56791 47f33c 38 API calls 56432->56791 56435 480ac8 56436 480ada 56435->56436 56437 480ae0 56435->56437 56438 480ade 56436->56438 56442 47f4e8 56 API calls 56436->56442 56437->56438 56440 47f4e8 56 API calls 56437->56440 56539 47c66c 56438->56539 56440->56438 56442->56438 56540 42d898 GetWindowsDirectoryA 56539->56540 56541 47c690 56540->56541 56542 403450 18 API calls 56541->56542 56543 47c69d 56542->56543 56544 42d8c4 GetSystemDirectoryA 56543->56544 56545 47c6a5 56544->56545 56546 403450 18 API calls 56545->56546 56547 47c6b2 56546->56547 56548 42d8f0 6 API calls 56547->56548 56549 47c6ba 56548->56549 56550 403450 18 API calls 56549->56550 56551 47c6c7 56550->56551 56552 47c6d0 56551->56552 56553 47c6ec 56551->56553 56824 42d208 56552->56824 56555 403400 4 API calls 56553->56555 56557 47c6ea 56555->56557 56559 47c731 56557->56559 56561 42c8cc 19 API calls 56557->56561 56558 403450 18 API calls 56558->56557 56804 47c4f4 56559->56804 56563 47c70c 56561->56563 56565 403450 18 API calls 56563->56565 56564 403450 18 API calls 56566 47c74d 56564->56566 56567 47c719 56565->56567 56568 47c76b 56566->56568 56569 4035c0 18 API calls 56566->56569 56567->56559 56571 403450 18 API calls 56567->56571 56570 47c4f4 22 API calls 56568->56570 56569->56568 56572 47c77a 56570->56572 56571->56559 56573 403450 18 API calls 56572->56573 56574 47c787 56573->56574 56575 47c7af 56574->56575 56577 42c3fc 19 API calls 56574->56577 56576 47c816 56575->56576 56578 47c4f4 22 API calls 56575->56578 56580 47c8de 56576->56580 56581 47c836 SHGetKnownFolderPath 56576->56581 56579 47c79d 56577->56579 56582 47c7c7 56578->56582 56585 4035c0 18 API calls 56579->56585 56583 47c8e7 56580->56583 56584 47c908 56580->56584 56586 47c850 56581->56586 56587 47c88b SHGetKnownFolderPath 56581->56587 56588 403450 18 API calls 56582->56588 56585->56575 56587->56580 56785->56423 56787->56424 56788->56417 56789->56418 56790->56432 56791->56435 56792->56435 56805 42de1c RegOpenKeyExA 56804->56805 56806 47c51a 56805->56806 56807 47c540 56806->56807 56808 47c51e 56806->56808 56809 403400 4 API calls 56807->56809 56810 42dd4c 20 API calls 56808->56810 56811 47c547 56809->56811 56812 47c52a 56810->56812 56811->56564 56813 47c535 RegCloseKey 56812->56813 56814 403400 4 API calls 56812->56814 56813->56811 56814->56813 56825 4038a4 18 API calls 56824->56825 56826 42d21b 56825->56826 56827 42d232 GetEnvironmentVariableA 56826->56827 56831 42d245 56826->56831 56836 42dbd0 18 API calls 56826->56836 56827->56826 56828 42d23e 56827->56828 56830 403400 4 API calls 56828->56830 56830->56831 56831->56558 56836->56826
                                                                                          Strings
                                                                                          • User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
                                                                                          • Existing file is a newer version. Skipping., xrefs: 00470C02
                                                                                          • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
                                                                                          • Will register the file (a DLL/OCX) later., xrefs: 0047151F
                                                                                          • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
                                                                                          • Uninstaller requires administrator: %s, xrefs: 0047118F
                                                                                          • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
                                                                                          • Existing file has a later time stamp. Skipping., xrefs: 00470DCF
                                                                                          • Couldn't read time stamp. Skipping., xrefs: 00470D35
                                                                                          • Incrementing shared file count (64-bit)., xrefs: 0047158C
                                                                                          • Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
                                                                                          • , xrefs: 00470BCF, 00470DA0, 00470E1E
                                                                                          • Non-default bitness: 32-bit, xrefs: 004708BB
                                                                                          • Dest filename: %s, xrefs: 00470894
                                                                                          • Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
                                                                                          • Installing into GAC, xrefs: 00471714
                                                                                          • Version of existing file: (none), xrefs: 00470CFA
                                                                                          • Installing the file., xrefs: 00470F09
                                                                                          • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
                                                                                          • Non-default bitness: 64-bit, xrefs: 004708AF
                                                                                          • Same time stamp. Skipping., xrefs: 00470D55
                                                                                          • Stripped read-only attribute., xrefs: 00470EC7
                                                                                          • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
                                                                                          • Time stamp of existing file: %s, xrefs: 00470A2B
                                                                                          • Version of our file: (none), xrefs: 00470AFC
                                                                                          • Same version. Skipping., xrefs: 00470CE5
                                                                                          • Time stamp of existing file: (failed to read), xrefs: 00470A37
                                                                                          • Will register the file (a type library) later., xrefs: 00471513
                                                                                          • Time stamp of our file: %s, xrefs: 0047099B
                                                                                          • Incrementing shared file count (32-bit)., xrefs: 004715A5
                                                                                          • @, xrefs: 004707B0
                                                                                          • Time stamp of our file: (failed to read), xrefs: 004709A7
                                                                                          • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
                                                                                          • Failed to strip read-only attribute., xrefs: 00470ED3
                                                                                          • Dest file is protected by Windows File Protection., xrefs: 004708ED
                                                                                          • Dest file exists., xrefs: 004709BB
                                                                                          • InUn, xrefs: 0047115F
                                                                                          • -- File entry --, xrefs: 004706FB
                                                                                          • Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
                                                                                          • .tmp, xrefs: 00470FB7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                          • API String ID: 0-4021121268
                                                                                          • Opcode ID: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                          • Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
                                                                                          • Opcode Fuzzy Hash: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                          • Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1578 42e09c-42e0ad 1579 42e0b8-42e0dd AllocateAndInitializeSid 1578->1579 1580 42e0af-42e0b3 1578->1580 1581 42e287-42e28f 1579->1581 1582 42e0e3-42e100 GetVersion 1579->1582 1580->1581 1583 42e102-42e117 GetModuleHandleA GetProcAddress 1582->1583 1584 42e119-42e11b 1582->1584 1583->1584 1585 42e142-42e15c GetCurrentThread OpenThreadToken 1584->1585 1586 42e11d-42e12b CheckTokenMembership 1584->1586 1589 42e193-42e1bb GetTokenInformation 1585->1589 1590 42e15e-42e168 GetLastError 1585->1590 1587 42e131-42e13d 1586->1587 1588 42e269-42e27f FreeSid 1586->1588 1587->1588 1591 42e1d6-42e1fa call 402648 GetTokenInformation 1589->1591 1592 42e1bd-42e1c5 GetLastError 1589->1592 1593 42e174-42e187 GetCurrentProcess OpenProcessToken 1590->1593 1594 42e16a-42e16f call 4031bc 1590->1594 1605 42e208-42e210 1591->1605 1606 42e1fc-42e206 call 4031bc * 2 1591->1606 1592->1591 1595 42e1c7-42e1d1 call 4031bc * 2 1592->1595 1593->1589 1598 42e189-42e18e call 4031bc 1593->1598 1594->1581 1595->1581 1598->1581 1607 42e212-42e213 1605->1607 1608 42e243-42e261 call 402660 CloseHandle 1605->1608 1606->1581 1611 42e215-42e228 EqualSid 1607->1611 1615 42e22a-42e237 1611->1615 1616 42e23f-42e241 1611->1616 1615->1616 1619 42e239-42e23d 1615->1619 1616->1608 1616->1611 1619->1608
                                                                                          APIs
                                                                                          • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                                          • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                                          • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                                          • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                          • String ID: CheckTokenMembership$advapi32.dll
                                                                                          • API String ID: 2252812187-1888249752
                                                                                          • Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                          • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                                          • Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                          • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1642 4502c0-4502cd 1643 4502d3-4502e0 GetVersion 1642->1643 1644 45037c-450386 1642->1644 1643->1644 1645 4502e6-4502fc LoadLibraryA 1643->1645 1645->1644 1646 4502fe-450377 GetProcAddress * 6 1645->1646 1646->1644
                                                                                          APIs
                                                                                          • GetVersion.KERNEL32(00480B52), ref: 004502D3
                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
                                                                                          • GetProcAddress.KERNEL32(6EBB0000,RmStartSession), ref: 00450309
                                                                                          • GetProcAddress.KERNEL32(6EBB0000,RmRegisterResources), ref: 0045031E
                                                                                          • GetProcAddress.KERNEL32(6EBB0000,RmGetList), ref: 00450333
                                                                                          • GetProcAddress.KERNEL32(6EBB0000,RmShutdown), ref: 00450348
                                                                                          • GetProcAddress.KERNEL32(6EBB0000,RmRestart), ref: 0045035D
                                                                                          • GetProcAddress.KERNEL32(6EBB0000,RmEndSession), ref: 00450372
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoadVersion
                                                                                          • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                          • API String ID: 1968650500-3419246398
                                                                                          • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                          • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                                          • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                          • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1790 423c0c-423c40 1791 423c42-423c43 1790->1791 1792 423c74-423c8b call 423b68 1790->1792 1793 423c45-423c61 call 40b24c 1791->1793 1798 423cec-423cf1 1792->1798 1799 423c8d 1792->1799 1819 423c63-423c6b 1793->1819 1820 423c70-423c72 1793->1820 1800 423cf3 1798->1800 1801 423d27-423d2c 1798->1801 1802 423c93-423c96 1799->1802 1803 423d50-423d60 1799->1803 1809 423fb1-423fb9 1800->1809 1810 423cf9-423d01 1800->1810 1804 423d32-423d35 1801->1804 1805 42409a-4240a8 IsIconic 1801->1805 1811 423cc5-423cc8 1802->1811 1812 423c98 1802->1812 1807 423d62-423d67 1803->1807 1808 423d6b-423d73 call 424194 1803->1808 1813 4240d6-4240eb call 424850 1804->1813 1814 423d3b-423d3c 1804->1814 1815 424152-42415a 1805->1815 1824 4240ae-4240b9 GetFocus 1805->1824 1821 423d78-423d80 call 4241dc 1807->1821 1822 423d69-423d8c call 423b84 1807->1822 1808->1815 1809->1815 1816 423fbf-423fca call 4181e0 1809->1816 1825 423f13-423f3a SendMessageA 1810->1825 1826 423d07-423d0c 1810->1826 1817 423da9-423db0 1811->1817 1818 423cce-423ccf 1811->1818 1827 423df6-423e06 call 423b84 1812->1827 1828 423c9e-423ca1 1812->1828 1813->1815 1831 423d42-423d45 1814->1831 1832 4240ed-4240f4 1814->1832 1829 424171-424177 1815->1829 1816->1815 1878 423fd0-423fdf call 4181e0 IsWindowEnabled 1816->1878 1817->1815 1841 423db6-423dbd 1817->1841 1842 423cd5-423cd8 1818->1842 1843 423f3f-423f46 1818->1843 1819->1829 1820->1792 1820->1793 1821->1815 1822->1815 1824->1815 1836 4240bf-4240c8 call 41eff4 1824->1836 1825->1815 1844 423d12-423d13 1826->1844 1845 42404a-424055 1826->1845 1827->1815 1837 423ca7-423caa 1828->1837 1838 423e1e-423e3a PostMessageA call 423b84 1828->1838 1847 424120-424127 1831->1847 1848 423d4b 1831->1848 1858 4240f6-424109 call 4244d4 1832->1858 1859 42410b-42411e call 42452c 1832->1859 1836->1815 1891 4240ce-4240d4 SetFocus 1836->1891 1855 423cb0-423cb3 1837->1855 1856 423ea5-423eac 1837->1856 1838->1815 1841->1815 1861 423dc3-423dc9 1841->1861 1862 423cde-423ce1 1842->1862 1863 423e3f-423e5f call 423b84 1842->1863 1843->1815 1851 423f4c-423f51 call 404e54 1843->1851 1864 424072-42407d 1844->1864 1865 423d19-423d1c 1844->1865 1845->1815 1849 42405b-42406d 1845->1849 1882 42413a-424149 1847->1882 1883 424129-424138 1847->1883 1866 42414b-42414c call 423b84 1848->1866 1849->1815 1851->1815 1873 423cb9-423cba 1855->1873 1874 423dce-423ddc IsIconic 1855->1874 1875 423eae-423ec1 call 423b14 1856->1875 1876 423edf-423ef0 call 423b84 1856->1876 1858->1815 1859->1815 1861->1815 1879 423ce7 1862->1879 1880 423e0b-423e19 call 424178 1862->1880 1906 423e83-423ea0 call 423a84 PostMessageA 1863->1906 1907 423e61-423e7e call 423b14 PostMessageA 1863->1907 1864->1815 1867 424083-424095 1864->1867 1884 423d22 1865->1884 1885 423f56-423f5e 1865->1885 1903 424151 1866->1903 1867->1815 1892 423cc0 1873->1892 1893 423d91-423d99 1873->1893 1899 423dea-423df1 call 423b84 1874->1899 1900 423dde-423de5 call 423bc0 1874->1900 1922 423ed3-423eda call 423b84 1875->1922 1923 423ec3-423ecd call 41ef58 1875->1923 1916 423ef2-423ef8 call 41eea4 1876->1916 1917 423f06-423f0e call 423a84 1876->1917 1878->1815 1924 423fe5-423ff4 call 4181e0 IsWindowVisible 1878->1924 1879->1866 1880->1815 1882->1815 1883->1815 1884->1866 1885->1815 1890 423f64-423f6b 1885->1890 1890->1815 1908 423f71-423f80 call 4181e0 IsWindowEnabled 1890->1908 1891->1815 1892->1866 1893->1815 1909 423d9f-423da4 call 422c4c 1893->1909 1899->1815 1900->1815 1903->1815 1906->1815 1907->1815 1908->1815 1937 423f86-423f9c call 412310 1908->1937 1909->1815 1935 423efd-423f00 1916->1935 1917->1815 1922->1815 1923->1922 1924->1815 1942 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1924->1942 1935->1917 1937->1815 1946 423fa2-423fac 1937->1946 1942->1815 1946->1815
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                          • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                                          • Opcode Fuzzy Hash: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                          • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 2133 4673a4-4673ba 2134 4673c4-46747b call 49577c call 402b30 * 6 2133->2134 2135 4673bc-4673bf call 402d30 2133->2135 2152 46747d-4674a4 call 41463c 2134->2152 2153 4674b8-4674d1 2134->2153 2135->2134 2157 4674a6 2152->2157 2158 4674a9-4674b3 call 4145fc 2152->2158 2159 4674d3-4674fa call 41461c 2153->2159 2160 46750e-46751c call 495a84 2153->2160 2157->2158 2158->2153 2166 4674ff-467509 call 4145dc 2159->2166 2167 4674fc 2159->2167 2168 46751e-46752d call 4958cc 2160->2168 2169 46752f-467531 call 4959f0 2160->2169 2166->2160 2167->2166 2174 467536-467589 call 4953e0 call 41a3d0 * 2 2168->2174 2169->2174 2181 46759a-4675af call 451458 call 414b18 2174->2181 2182 46758b-467598 call 414b18 2174->2182 2187 4675b4-4675bb 2181->2187 2182->2187 2189 467603-467a89 call 49581c call 495b40 call 41461c * 3 call 4146bc call 4145dc * 3 call 460bfc call 460c14 call 460c20 call 460c68 call 460bfc call 460c14 call 460c20 call 460c68 call 460c14 call 460c68 LoadBitmapA call 41d6b0 call 460c38 call 460c50 call 467180 call 468c94 call 466800 call 40357c call 414b18 call 466b38 call 466b40 call 466800 call 40357c * 2 call 414b18 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 414b18 * 2 call 468c94 call 414b18 * 2 call 466b38 call 4145fc call 466b38 call 4145fc call 468c94 call 414b18 call 466b38 call 466b40 call 468c94 call 414b18 call 466b38 call 4145fc * 2 call 414b18 call 466b38 call 4145fc 2187->2189 2190 4675bd-4675fe call 4146bc call 414700 call 420f98 call 420fc4 call 420b68 call 420b94 2187->2190 2320 467ae5-467afe call 414a44 * 2 2189->2320 2321 467a8b-467ae3 call 4145fc call 414b18 call 466b38 call 4145fc 2189->2321 2190->2189 2329 467b03-467bb4 call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2320->2329 2321->2329 2347 467bb6-467bd1 2329->2347 2348 467bee-467e24 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 4181e0 call 42ed38 call 414b18 call 49581c call 495b40 call 41461c call 466800 call 414b18 call 466b38 call 4145fc call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 4145fc call 466b40 call 466800 call 414b18 call 466b38 2329->2348 2349 467bd6-467be9 call 4145fc 2347->2349 2350 467bd3 2347->2350 2409 467e26-467e2f 2348->2409 2410 467e65-467f1e call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2348->2410 2349->2348 2350->2349 2409->2410 2411 467e31-467e60 call 414a44 call 466b40 2409->2411 2428 467f20-467f3b 2410->2428 2429 467f58-468379 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 414b18 call 49581c call 495b40 call 41461c call 414b18 call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 42bbd0 call 495b50 call 44e8b0 call 466800 call 468c94 call 466800 call 468c94 call 466800 call 468c94 * 2 call 414b18 call 466b38 call 466b40 call 468c94 call 4953e0 call 41a3d0 call 466800 call 40357c call 414b18 call 466b38 call 4145fc call 414b18 * 2 call 495b50 call 403494 call 40357c * 2 call 414b18 2410->2429 2411->2410 2431 467f40-467f53 call 4145fc 2428->2431 2432 467f3d 2428->2432 2528 46839d-4683a4 2429->2528 2529 46837b-468398 call 44ffdc call 450138 2429->2529 2431->2429 2432->2431 2531 4683a6-4683c3 call 44ffdc call 450138 2528->2531 2532 4683c8-4683cf 2528->2532 2529->2528 2531->2532 2535 4683f3-468439 call 4181e0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468d88 2532->2535 2536 4683d1-4683ee call 44ffdc call 450138 2532->2536 2549 468453 2535->2549 2550 46843b-468442 2535->2550 2536->2535 2553 468455-468464 2549->2553 2551 468444-46844d 2550->2551 2552 46844f-468451 2550->2552 2551->2549 2551->2552 2552->2553 2554 468466-46846d 2553->2554 2555 46847e 2553->2555 2557 46846f-468478 2554->2557 2558 46847a-46847c 2554->2558 2556 468480-46849a 2555->2556 2559 468543-46854a 2556->2559 2560 4684a0-4684a9 2556->2560 2557->2555 2557->2558 2558->2556 2563 468550-468573 call 47c26c call 403450 2559->2563 2564 4685dd-4685eb call 414b18 2559->2564 2561 468504-46853e call 414b18 * 3 2560->2561 2562 4684ab-468502 call 47c26c call 414b18 call 47c26c call 414b18 call 47c26c call 414b18 2560->2562 2561->2559 2562->2559 2587 468584-468598 call 403494 2563->2587 2588 468575-468582 call 47c440 2563->2588 2572 4685f0-4685f9 2564->2572 2576 4685ff-468617 call 429fd8 2572->2576 2577 468709-468738 call 42b96c call 44e83c 2572->2577 2589 46868e-468692 2576->2589 2590 468619-46861d 2576->2590 2606 4687e6-4687ea 2577->2606 2607 46873e-468742 2577->2607 2602 4685aa-4685db call 42c804 call 42cbc0 call 403494 call 414b18 2587->2602 2603 46859a-4685a5 call 403494 2587->2603 2588->2602 2596 468694-46869d 2589->2596 2597 4686e2-4686e6 2589->2597 2598 46861f-468659 call 40b24c call 47c26c 2590->2598 2596->2597 2604 46869f-4686aa 2596->2604 2609 4686fa-468704 call 42a05c 2597->2609 2610 4686e8-4686f8 call 42a05c 2597->2610 2663 46865b-468662 2598->2663 2664 468688-46868c 2598->2664 2602->2572 2603->2602 2604->2597 2614 4686ac-4686b0 2604->2614 2617 4687ec-4687f3 2606->2617 2618 468869-46886d 2606->2618 2616 468744-468756 call 40b24c 2607->2616 2609->2577 2610->2577 2622 4686b2-4686d5 call 40b24c call 406ac4 2614->2622 2641 468788-4687bf call 47c26c call 44cb0c 2616->2641 2642 468758-468786 call 47c26c call 44cbdc 2616->2642 2617->2618 2625 4687f5-4687fc 2617->2625 2626 4688d6-4688df 2618->2626 2627 46886f-468886 call 40b24c 2618->2627 2673 4686d7-4686da 2622->2673 2674 4686dc-4686e0 2622->2674 2625->2618 2636 4687fe-468809 2625->2636 2634 4688e1-4688f9 call 40b24c call 4699fc 2626->2634 2635 4688fe-468913 call 466ee0 call 466c5c 2626->2635 2656 4688c6-4688d4 call 4699fc 2627->2656 2657 468888-4688c4 call 40b24c call 4699fc * 2 call 46989c 2627->2657 2634->2635 2682 468965-46896f call 414a44 2635->2682 2683 468915-468938 call 42a040 call 40b24c 2635->2683 2636->2635 2644 46880f-468813 2636->2644 2684 4687c4-4687c8 2641->2684 2642->2684 2655 468815-46882b call 40b24c 2644->2655 2679 46885e-468862 2655->2679 2680 46882d-468859 call 42a05c call 4699fc call 46989c 2655->2680 2656->2635 2657->2635 2663->2664 2675 468664-468676 call 406ac4 2663->2675 2664->2589 2664->2598 2673->2597 2674->2597 2674->2622 2675->2664 2701 468678-468682 2675->2701 2679->2655 2694 468864 2679->2694 2680->2635 2696 468974-468993 call 414a44 2682->2696 2715 468943-468952 call 414a44 2683->2715 2716 46893a-468941 2683->2716 2692 4687d3-4687d5 2684->2692 2693 4687ca-4687d1 2684->2693 2700 4687dc-4687e0 2692->2700 2693->2692 2693->2700 2694->2635 2711 468995-4689b8 call 42a040 call 469b5c 2696->2711 2712 4689bd-4689e0 call 47c26c call 403450 2696->2712 2700->2606 2700->2616 2701->2664 2706 468684 2701->2706 2706->2664 2711->2712 2730 4689e2-4689eb 2712->2730 2731 4689fc-468a05 2712->2731 2715->2696 2716->2715 2720 468954-468963 call 414a44 2716->2720 2720->2696 2730->2731 2734 4689ed-4689fa call 47c440 2730->2734 2732 468a07-468a19 call 403684 2731->2732 2733 468a1b-468a2b call 403494 2731->2733 2732->2733 2742 468a2d-468a38 call 403494 2732->2742 2741 468a3d-468a54 call 414b18 2733->2741 2734->2741 2746 468a56-468a5d 2741->2746 2747 468a8a-468a94 call 414a44 2741->2747 2742->2741 2749 468a5f-468a68 2746->2749 2750 468a6a-468a74 call 42b0e4 2746->2750 2752 468a99-468abe call 403400 * 3 2747->2752 2749->2750 2753 468a79-468a88 call 414a44 2749->2753 2750->2753 2753->2752
                                                                                          APIs
                                                                                            • Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2
                                                                                          • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773
                                                                                            • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB
                                                                                            • Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                            • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                            • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                            • Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                            • Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A
                                                                                            • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                            • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                            • Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
                                                                                            • Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
                                                                                            • Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5
                                                                                            • Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A
                                                                                          • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0214FBE4,02151944,?,?,02151974,?,?,021519C4,?), ref: 004683FD
                                                                                          • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
                                                                                          • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426
                                                                                            • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                                          • String ID: $(Default)$STOPIMAGE$%H
                                                                                          • API String ID: 3231140908-2624782221
                                                                                          • Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                          • Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
                                                                                          • Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                          • Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A
                                                                                          APIs
                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
                                                                                          • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
                                                                                          • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseFirstNext
                                                                                          • String ID: unins$unins???.*
                                                                                          • API String ID: 3541575487-1009660736
                                                                                          • Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                          • Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
                                                                                          • Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                          • Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59
                                                                                          APIs
                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                                          • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFileFindFirstLast
                                                                                          • String ID:
                                                                                          • API String ID: 873889042-0
                                                                                          • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                          • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                                          • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                          • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                                          APIs
                                                                                          • GetVersion.KERNEL32(?,0046E17A), ref: 0046E0EE
                                                                                          • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E17A), ref: 0046E10A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateInstanceVersion
                                                                                          • String ID:
                                                                                          • API String ID: 1462612201-0
                                                                                          • Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                          • Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
                                                                                          • Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                          • Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F
                                                                                          APIs
                                                                                          • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID:
                                                                                          • API String ID: 2299586839-0
                                                                                          • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                          • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                                          • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                          • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                                          APIs
                                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: NtdllProc_Window
                                                                                          • String ID:
                                                                                          • API String ID: 4255912815-0
                                                                                          • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                          • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                                          • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                          • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: NameUser
                                                                                          • String ID:
                                                                                          • API String ID: 2645101109-0
                                                                                          • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                          • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                                          • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                          • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                                          APIs
                                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: NtdllProc_Window
                                                                                          • String ID:
                                                                                          • API String ID: 4255912815-0
                                                                                          • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                          • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                                          • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                          • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 844 46f058-46f08a 845 46f0a7 844->845 846 46f08c-46f093 844->846 849 46f0ae-46f0e6 call 403634 call 403738 call 42dec0 845->849 847 46f095-46f09c 846->847 848 46f09e-46f0a5 846->848 847->845 847->848 848->849 856 46f101-46f12a call 403738 call 42dde4 849->856 857 46f0e8-46f0fc call 403738 call 42dec0 849->857 865 46f12c-46f135 call 46ed28 856->865 866 46f13a-46f163 call 46ee44 856->866 857->856 865->866 870 46f175-46f178 call 403400 866->870 871 46f165-46f173 call 403494 866->871 875 46f17d-46f1c8 call 46ee44 call 42c3fc call 46ee8c call 46ee44 870->875 871->875 884 46f1de-46f1ff call 45559c call 46ee44 875->884 885 46f1ca-46f1dd call 46eeb4 875->885 892 46f255-46f25c 884->892 893 46f201-46f254 call 46ee44 call 431404 call 46ee44 call 431404 call 46ee44 884->893 885->884 894 46f25e-46f29b call 431404 call 46ee44 call 431404 call 46ee44 892->894 895 46f29c-46f2a3 892->895 893->892 894->895 899 46f2e4-46f309 call 40b24c call 46ee44 895->899 900 46f2a5-46f2e3 call 46ee44 * 3 895->900 919 46f30b-46f316 call 47c26c 899->919 920 46f318-46f321 call 403494 899->920 900->899 929 46f326-46f331 call 478e04 919->929 920->929 934 46f333-46f338 929->934 935 46f33a 929->935 936 46f33f-46f509 call 403778 call 46ee44 call 47c26c call 46ee8c call 403494 call 40357c * 2 call 46ee44 call 403494 call 40357c * 2 call 46ee44 call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c 934->936 935->936 999 46f51f-46f52d call 46eeb4 936->999 1000 46f50b-46f51d call 46ee44 936->1000 1004 46f532 999->1004 1005 46f533-46f57c call 46eeb4 call 46eee8 call 46ee44 call 47c26c call 46ef4c 1000->1005 1004->1005 1016 46f5a2-46f5af 1005->1016 1017 46f57e-46f5a1 call 46eeb4 * 2 1005->1017 1019 46f5b5-46f5bc 1016->1019 1020 46f67e-46f685 1016->1020 1017->1016 1024 46f5be-46f5c5 1019->1024 1025 46f629-46f638 1019->1025 1021 46f687-46f6bd call 494cec 1020->1021 1022 46f6df-46f6f5 RegCloseKey 1020->1022 1021->1022 1024->1025 1029 46f5c7-46f5eb call 430bcc 1024->1029 1028 46f63b-46f648 1025->1028 1032 46f65f-46f678 call 430c08 call 46eeb4 1028->1032 1033 46f64a-46f657 1028->1033 1029->1028 1039 46f5ed-46f5ee 1029->1039 1042 46f67d 1032->1042 1033->1032 1035 46f659-46f65d 1033->1035 1035->1020 1035->1032 1041 46f5f0-46f616 call 40b24c call 479630 1039->1041 1047 46f623-46f625 1041->1047 1048 46f618-46f61e call 430bcc 1041->1048 1042->1020 1047->1041 1050 46f627 1047->1050 1048->1047 1050->1028
                                                                                          APIs
                                                                                            • Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                            • Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                          • RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Value$Close
                                                                                          • String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                          • API String ID: 3391052094-3342197833
                                                                                          • Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                          • Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
                                                                                          • Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                          • Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1051 492848-49287c call 403684 1054 49287e-49288d call 446f9c Sleep 1051->1054 1055 492892-49289f call 403684 1051->1055 1060 492d22-492d3c call 403420 1054->1060 1061 4928ce-4928db call 403684 1055->1061 1062 4928a1-4928c4 call 446ff8 call 403738 FindWindowA call 447278 1055->1062 1070 49290a-492917 call 403684 1061->1070 1071 4928dd-492905 call 446ff8 call 403738 FindWindowA call 447278 1061->1071 1080 4928c9 1062->1080 1078 492919-49295b call 446f9c * 4 SendMessageA call 447278 1070->1078 1079 492960-49296d call 403684 1070->1079 1071->1060 1078->1060 1090 4929bc-4929c9 call 403684 1079->1090 1091 49296f-4929b7 call 446f9c * 4 PostMessageA call 4470d0 1079->1091 1080->1060 1100 492a18-492a25 call 403684 1090->1100 1101 4929cb-492a13 call 446f9c * 4 SendNotifyMessageA call 4470d0 1090->1101 1091->1060 1113 492a52-492a5f call 403684 1100->1113 1114 492a27-492a4d call 446ff8 call 403738 RegisterClipboardFormatA call 447278 1100->1114 1101->1060 1125 492a61-492a9b call 446f9c * 3 SendMessageA call 447278 1113->1125 1126 492aa0-492aad call 403684 1113->1126 1114->1060 1125->1060 1138 492aaf-492aef call 446f9c * 3 PostMessageA call 4470d0 1126->1138 1139 492af4-492b01 call 403684 1126->1139 1138->1060 1152 492b48-492b55 call 403684 1139->1152 1153 492b03-492b43 call 446f9c * 3 SendNotifyMessageA call 4470d0 1139->1153 1164 492baa-492bb7 call 403684 1152->1164 1165 492b57-492b75 call 446ff8 call 42e394 1152->1165 1153->1060 1175 492bb9-492be5 call 446ff8 call 403738 call 446f9c GetProcAddress 1164->1175 1176 492c31-492c3e call 403684 1164->1176 1185 492b87-492b95 GetLastError call 447278 1165->1185 1186 492b77-492b85 call 447278 1165->1186 1206 492c21-492c2c call 4470d0 1175->1206 1207 492be7-492c1c call 446f9c * 2 call 447278 call 4470d0 1175->1207 1187 492c40-492c61 call 446f9c FreeLibrary call 4470d0 1176->1187 1188 492c66-492c73 call 403684 1176->1188 1194 492b9a-492ba5 call 447278 1185->1194 1186->1194 1187->1060 1203 492c98-492ca5 call 403684 1188->1203 1204 492c75-492c93 call 446ff8 call 403738 CreateMutexA 1188->1204 1194->1060 1215 492cdb-492ce8 call 403684 1203->1215 1216 492ca7-492cd9 call 48ccc8 call 403574 call 403738 OemToCharBuffA call 48cce0 1203->1216 1204->1060 1206->1060 1207->1060 1228 492cea-492d1c call 48ccc8 call 403574 call 403738 CharToOemBuffA call 48cce0 1215->1228 1229 492d1e 1215->1229 1216->1060 1228->1060 1229->1060
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000,00000000,00492D3D,?,?,?,?,00000000,00000000,00000000), ref: 00492888
                                                                                          • FindWindowA.USER32(00000000,00000000), ref: 004928B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FindSleepWindow
                                                                                          • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                          • API String ID: 3078808852-3310373309
                                                                                          • Opcode ID: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                          • Instruction ID: 092cd3663c6e49ee7eb77a287a3c2ed341282e51176ce6ebc4a466309821376d
                                                                                          • Opcode Fuzzy Hash: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                          • Instruction Fuzzy Hash: D9C182A0B042003BDB14BF3E9D4551F59A99F95708B119A3FB446EB78BCE7CEC0A4359

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1621 483a7c-483aa1 GetModuleHandleA GetProcAddress 1622 483b08-483b0d GetSystemInfo 1621->1622 1623 483aa3-483ab9 GetNativeSystemInfo GetProcAddress 1621->1623 1624 483b12-483b1b 1622->1624 1623->1624 1625 483abb-483ac6 GetCurrentProcess 1623->1625 1626 483b2b-483b32 1624->1626 1627 483b1d-483b21 1624->1627 1625->1624 1632 483ac8-483acc 1625->1632 1630 483b4d-483b52 1626->1630 1628 483b23-483b27 1627->1628 1629 483b34-483b3b 1627->1629 1633 483b29-483b46 1628->1633 1634 483b3d-483b44 1628->1634 1629->1630 1632->1624 1635 483ace-483ad5 call 45271c 1632->1635 1633->1630 1634->1630 1635->1624 1639 483ad7-483ae4 GetProcAddress 1635->1639 1639->1624 1640 483ae6-483afd GetModuleHandleA GetProcAddress 1639->1640 1640->1624 1641 483aff-483b06 1640->1641 1641->1624
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                          • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                          • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                          • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                          • API String ID: 2230631259-2623177817
                                                                                          • Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                          • Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
                                                                                          • Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                          • Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1647 468d88-468dc0 call 47c26c 1650 468dc6-468dd6 call 478e24 1647->1650 1651 468fa2-468fbc call 403420 1647->1651 1656 468ddb-468e20 call 4078f4 call 403738 call 42de1c 1650->1656 1662 468e25-468e27 1656->1662 1663 468e2d-468e42 1662->1663 1664 468f98-468f9c 1662->1664 1665 468e57-468e5e 1663->1665 1666 468e44-468e52 call 42dd4c 1663->1666 1664->1651 1664->1656 1668 468e60-468e82 call 42dd4c call 42dd64 1665->1668 1669 468e8b-468e92 1665->1669 1666->1665 1668->1669 1686 468e84 1668->1686 1670 468e94-468eb9 call 42dd4c * 2 1669->1670 1671 468eeb-468ef2 1669->1671 1693 468ebb-468ec4 call 4314f8 1670->1693 1694 468ec9-468edb call 42dd4c 1670->1694 1673 468ef4-468f06 call 42dd4c 1671->1673 1674 468f38-468f3f 1671->1674 1687 468f16-468f28 call 42dd4c 1673->1687 1688 468f08-468f11 call 4314f8 1673->1688 1680 468f41-468f75 call 42dd4c * 3 1674->1680 1681 468f7a-468f90 RegCloseKey 1674->1681 1680->1681 1686->1669 1687->1674 1701 468f2a-468f33 call 4314f8 1687->1701 1688->1687 1693->1694 1694->1671 1704 468edd-468ee6 call 4314f8 1694->1704 1701->1674 1704->1671
                                                                                          APIs
                                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          • RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B
                                                                                          Strings
                                                                                          • Inno Setup: App Path, xrefs: 00468E4A
                                                                                          • Inno Setup: Selected Components, xrefs: 00468EAA
                                                                                          • %s\%s_is1, xrefs: 00468E05
                                                                                          • Inno Setup: Setup Type, xrefs: 00468E9A
                                                                                          • Inno Setup: Icon Group, xrefs: 00468E66
                                                                                          • Inno Setup: Deselected Components, xrefs: 00468ECC
                                                                                          • Inno Setup: No Icons, xrefs: 00468E73
                                                                                          • Inno Setup: User Info: Organization, xrefs: 00468F5A
                                                                                          • Inno Setup: Deselected Tasks, xrefs: 00468F19
                                                                                          • Inno Setup: Selected Tasks, xrefs: 00468EF7
                                                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
                                                                                          • Inno Setup: User Info: Serial, xrefs: 00468F6D
                                                                                          • Inno Setup: User Info: Name, xrefs: 00468F47
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpen
                                                                                          • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                          • API String ID: 47109696-1093091907
                                                                                          • Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                          • Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
                                                                                          • Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                          • Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB
                                                                                            • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                            • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                            • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                          • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
                                                                                          • CoTaskMemFree.OLE32(?,0047C88B), ref: 0047C87E
                                                                                            • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                          • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                          • API String ID: 3771764029-544719455
                                                                                          • Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                          • Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
                                                                                          • Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                          • Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1949 423874-42387e 1950 4239a7-4239ab 1949->1950 1951 423884-4238a6 call 41f3c4 GetClassInfoA 1949->1951 1954 4238d7-4238e0 GetSystemMetrics 1951->1954 1955 4238a8-4238bf RegisterClassA 1951->1955 1957 4238e2 1954->1957 1958 4238e5-4238ef GetSystemMetrics 1954->1958 1955->1954 1956 4238c1-4238d2 call 408cbc call 40311c 1955->1956 1956->1954 1957->1958 1960 4238f1 1958->1960 1961 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1958->1961 1960->1961 1972 423952-423965 call 424178 SendMessageA 1961->1972 1973 42396a-423998 GetSystemMenu DeleteMenu * 2 1961->1973 1972->1973 1973->1950 1975 42399a-4239a2 DeleteMenu 1973->1975 1975->1950
                                                                                          APIs
                                                                                            • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                          • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                                          • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                                          • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                                          • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                                          • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                                          • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                                          • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                                          • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                                          • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                                          • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                          • String ID: |6B
                                                                                          • API String ID: 183575631-3009739247
                                                                                          • Opcode ID: 0318a091630d13b60d0a3e6aa49d41dd0f32c1053a4a49f7651c07b17dd5309d
                                                                                          • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                                          • Opcode Fuzzy Hash: 0318a091630d13b60d0a3e6aa49d41dd0f32c1053a4a49f7651c07b17dd5309d
                                                                                          • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1977 47ce78-47cece call 42c3fc call 4035c0 call 47cb3c call 4525d8 1986 47ced0-47ced5 call 453344 1977->1986 1987 47ceda-47cee9 call 4525d8 1977->1987 1986->1987 1991 47cf03-47cf09 1987->1991 1992 47ceeb-47cef1 1987->1992 1995 47cf20-47cf48 call 42e394 * 2 1991->1995 1996 47cf0b-47cf11 1991->1996 1993 47cf13-47cf1b call 403494 1992->1993 1994 47cef3-47cef9 1992->1994 1993->1995 1994->1991 1997 47cefb-47cf01 1994->1997 2003 47cf6f-47cf89 GetProcAddress 1995->2003 2004 47cf4a-47cf6a call 4078f4 call 453344 1995->2004 1996->1993 1996->1995 1997->1991 1997->1993 2006 47cf95-47cfb2 call 403400 * 2 2003->2006 2007 47cf8b-47cf90 call 453344 2003->2007 2004->2003 2007->2006
                                                                                          APIs
                                                                                          • GetProcAddress.KERNEL32(74C60000,SHGetFolderPathA), ref: 0047CF7A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc
                                                                                          • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$]xI$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                          • API String ID: 190572456-256906917
                                                                                          • Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                          • Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
                                                                                          • Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                          • Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 2126 40631c-406336 GetModuleHandleA GetProcAddress 2127 406338 2126->2127 2128 40633f-40634c GetProcAddress 2126->2128 2127->2128 2129 406355-406362 GetProcAddress 2128->2129 2130 40634e 2128->2130 2131 406364-406366 SetProcessDEPPolicy 2129->2131 2132 406368-406369 2129->2132 2130->2129 2131->2132
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                          • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                          • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                          • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModulePolicyProcess
                                                                                          • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                          • API String ID: 3256987805-3653653586
                                                                                          • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                          • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                                          • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                          • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                                          APIs
                                                                                          • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                          • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                          • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: LongWindow$Prop
                                                                                          • String ID: 3A$yA
                                                                                          • API String ID: 3887896539-3278460822
                                                                                          • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                          • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                                          • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                          • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 2894 467180-46722a call 41461c call 41463c call 41461c call 41463c SHGetFileInfo 2903 46725f-46726a call 478e04 2894->2903 2904 46722c-467233 2894->2904 2909 46726c-4672b1 call 42c3fc call 40357c call 403738 ExtractIconA call 4670c0 2903->2909 2910 4672bb-4672ce call 47d33c 2903->2910 2904->2903 2905 467235-46725a ExtractIconA call 4670c0 2904->2905 2905->2903 2932 4672b6 2909->2932 2915 4672d0-4672da call 47d33c 2910->2915 2916 4672df-4672e3 2910->2916 2915->2916 2919 4672e5-467308 call 403738 SHGetFileInfo 2916->2919 2920 46733d-467371 call 403400 * 2 2916->2920 2919->2920 2928 46730a-467311 2919->2928 2928->2920 2931 467313-467338 ExtractIconA call 4670c0 2928->2931 2931->2920 2932->2920
                                                                                          APIs
                                                                                          • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                          • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                            • Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
                                                                                            • Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E
                                                                                          • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                          • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
                                                                                          • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                          • String ID: c:\directory$shell32.dll$%H
                                                                                          • API String ID: 3376378930-166502273
                                                                                          • Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                          • Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
                                                                                          • Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                          • Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59
                                                                                          APIs
                                                                                          • GetActiveWindow.USER32 ref: 0042F58F
                                                                                          • GetFocus.USER32 ref: 0042F597
                                                                                          • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                                          • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                                          • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                                          • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                                          • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                          • String ID: TWindowDisabler-Window
                                                                                          • API String ID: 3167913817-1824977358
                                                                                          • Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                          • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                                          • Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                          • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                          • API String ID: 1646373207-2130885113
                                                                                          • Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                          • Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
                                                                                          • Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                          • Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D
                                                                                          APIs
                                                                                          • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                                          • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                          • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                          • API String ID: 4130936913-2943970505
                                                                                          • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                          • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                                          • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                          • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                                          • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                                            • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                            • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                            • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                            • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                          • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                          • API String ID: 854858120-615399546
                                                                                          • Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                          • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                                          • Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                          • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                                          APIs
                                                                                          • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                          • OemToCharA.USER32(?,?), ref: 0042375C
                                                                                          • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Char$FileIconLoadLowerModuleName
                                                                                          • String ID: 2$MAINICON
                                                                                          • API String ID: 3935243913-3181700818
                                                                                          • Opcode ID: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                                          • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                                          • Opcode Fuzzy Hash: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                                          • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                                          APIs
                                                                                          • GetDC.USER32(00000000), ref: 00495519
                                                                                            • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                          • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                          • GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                          Strings
                                                                                          • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                          • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                          • API String ID: 2948443157-222967699
                                                                                          • Opcode ID: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                          • Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
                                                                                          • Opcode Fuzzy Hash: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                          • Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28
                                                                                          APIs
                                                                                          • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                                            • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                                            • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                            • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                            • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                            • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                            • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                            • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                                            • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                            • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                            • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                            • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                            • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                          • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                          • API String ID: 316262546-2767913252
                                                                                          • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                          • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                                          • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                          • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                                          APIs
                                                                                          • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                          • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                          • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: LongWindow$Prop
                                                                                          • String ID:
                                                                                          • API String ID: 3887896539-0
                                                                                          • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                          • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                                          • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                          • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                                          APIs
                                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                                          Strings
                                                                                          • WININIT.INI, xrefs: 004557E4
                                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                                          • PendingFileRenameOperations, xrefs: 00455754
                                                                                          • PendingFileRenameOperations2, xrefs: 00455784
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpen
                                                                                          • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                          • API String ID: 47109696-2199428270
                                                                                          • Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                          • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                                          • Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                          • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                                          APIs
                                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
                                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                          • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                          • API String ID: 1375471231-2952887711
                                                                                          • Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                          • Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
                                                                                          • Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                          • Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68
                                                                                          APIs
                                                                                          • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                          • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                          • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$EnumLongWindows
                                                                                          • String ID: \AB
                                                                                          • API String ID: 4191631535-3948367934
                                                                                          • Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                          • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                                          • Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                          • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                                          APIs
                                                                                          • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
                                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,0049785D), ref: 0042DE6B
                                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressDeleteHandleModuleProc
                                                                                          • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                          • API String ID: 588496660-1846899949
                                                                                          • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                          • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                                          • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                          • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                                          Strings
                                                                                          • NextButtonClick, xrefs: 0046BC4C
                                                                                          • Need to restart Windows? %s, xrefs: 0046BE95
                                                                                          • PrepareToInstall failed: %s, xrefs: 0046BE6E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                          • API String ID: 0-2329492092
                                                                                          • Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                          • Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
                                                                                          • Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                          • Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A
                                                                                          APIs
                                                                                          • SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
                                                                                          • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ActiveChangeNotifyWindow
                                                                                          • String ID: $Need to restart Windows? %s
                                                                                          • API String ID: 1160245247-4200181552
                                                                                          • Opcode ID: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                          • Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
                                                                                          • Opcode Fuzzy Hash: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                          • Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D
                                                                                          APIs
                                                                                            • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                          • GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
                                                                                          • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
                                                                                          • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                          • String ID: Creating directory: %s
                                                                                          • API String ID: 2451617938-483064649
                                                                                          • Opcode ID: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                          • Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
                                                                                          • Opcode Fuzzy Hash: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                          • Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59
                                                                                          APIs
                                                                                          • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressByteCharMultiProcWide
                                                                                          • String ID: SfcIsFileProtected$sfc.dll
                                                                                          • API String ID: 2508298434-591603554
                                                                                          • Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                          • Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
                                                                                          • Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                          • Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C
                                                                                          APIs
                                                                                          • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                          • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                          • RegisterClassA.USER32(?), ref: 004164CE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Class$InfoRegisterUnregister
                                                                                          • String ID: @
                                                                                          • API String ID: 3749476976-2766056989
                                                                                          • Opcode ID: df6e090dea74baa5ac925230d828a7230e5c2d53f0976f0f8597eebaced2b944
                                                                                          • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                                          • Opcode Fuzzy Hash: df6e090dea74baa5ac925230d828a7230e5c2d53f0976f0f8597eebaced2b944
                                                                                          • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                                          APIs
                                                                                          • 75381520.VERSION(00000000,?,?,?,00497900), ref: 00452530
                                                                                          • 75381500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 0045255D
                                                                                          • 75381540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 00452577
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: 753815007538152075381540
                                                                                          • String ID: %E
                                                                                          • API String ID: 3367396946-175436132
                                                                                          • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                          • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                                          • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                          • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                                          APIs
                                                                                          • GetDC.USER32(00000000), ref: 0044B401
                                                                                          • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                                          • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ObjectReleaseSelect
                                                                                          • String ID: %H
                                                                                          • API String ID: 1831053106-1959103961
                                                                                          • Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                          • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                                          • Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                          • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
                                                                                          • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                                          • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: DrawText$ByteCharMultiWide
                                                                                          • String ID: %H
                                                                                          • API String ID: 65125430-1959103961
                                                                                          • Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                          • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                                          • Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                          • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                                          APIs
                                                                                          • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                            • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                            • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                            • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                          • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                          • String ID: SHAutoComplete$shlwapi.dll
                                                                                          • API String ID: 395431579-1506664499
                                                                                          • Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                          • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                                          • Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                          • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                                          APIs
                                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                                          Strings
                                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                                          • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                                          • PendingFileRenameOperations, xrefs: 00455A40
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpen
                                                                                          • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                          • API String ID: 47109696-2115312317
                                                                                          • Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                          • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                                          • Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                          • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                                          APIs
                                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
                                                                                          • FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
                                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
                                                                                          • FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$CloseFileNext
                                                                                          • String ID:
                                                                                          • API String ID: 2066263336-0
                                                                                          • Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                          • Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
                                                                                          • Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                          • Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58
                                                                                          APIs
                                                                                          • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
                                                                                          • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
                                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
                                                                                          • FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$CloseFileNext
                                                                                          • String ID:
                                                                                          • API String ID: 2066263336-0
                                                                                          • Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                          • Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
                                                                                          • Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                          • Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54
                                                                                          APIs
                                                                                          • GetMenu.USER32(00000000), ref: 00421361
                                                                                          • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                                          • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                                          • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu
                                                                                          • String ID:
                                                                                          • API String ID: 3711407533-0
                                                                                          • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                          • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                                          • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                          • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                                          APIs
                                                                                          • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                                          • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                                          • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Color$CallMessageProcSendTextWindow
                                                                                          • String ID:
                                                                                          • API String ID: 601730667-0
                                                                                          • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                          • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                                          • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                          • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                                          APIs
                                                                                          • GetDC.USER32(00000000), ref: 0042311E
                                                                                          • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CapsDeviceEnumFontsRelease
                                                                                          • String ID:
                                                                                          • API String ID: 2698912916-0
                                                                                          • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                          • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                                          • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                          • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                                          APIs
                                                                                          • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0219C170,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0219C170,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0219C170,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                          • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0219C170,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                          • String ID:
                                                                                          • API String ID: 730355536-0
                                                                                          • Opcode ID: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                          • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                          • Opcode Fuzzy Hash: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                          • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                          APIs
                                                                                            • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                          • FlushFileBuffers.KERNEL32(?), ref: 0045C499
                                                                                          Strings
                                                                                          • NumRecs range exceeded, xrefs: 0045C396
                                                                                          • EndOffset range exceeded, xrefs: 0045C3CD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$BuffersFlush
                                                                                          • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                          • API String ID: 3593489403-659731555
                                                                                          • Opcode ID: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                          • Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
                                                                                          • Opcode Fuzzy Hash: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                          • Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54
                                                                                          APIs
                                                                                            • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                            • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                            • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                            • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                            • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                            • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                            • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                            • Part of subcall function 004063C4: 6FB81CD0.COMCTL32(00498BC5), ref: 004063C4
                                                                                            • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                                            • Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040
                                                                                            • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                            • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                            • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F
                                                                                            • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                            • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                            • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                            • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                            • Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                            • Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                            • Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                            • Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                            • Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                            • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                            • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                            • Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                            • Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD
                                                                                          • SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E
                                                                                            • Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                            • Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                            • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                                            • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                          • ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F
                                                                                            • Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                          • String ID: Setup
                                                                                          • API String ID: 504348408-3839654196
                                                                                          • Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                          • Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
                                                                                          • Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                          • Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E
                                                                                          APIs
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: QueryValue
                                                                                          • String ID: $=H
                                                                                          • API String ID: 3660427363-3538597426
                                                                                          • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                          • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                                          • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                          • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                                          APIs
                                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                                          • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                          • String ID: .tmp
                                                                                          • API String ID: 1375471231-2986845003
                                                                                          • Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                          • Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
                                                                                          • Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                          • Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                                          APIs
                                                                                            • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                            • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                            • Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                            • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                            • Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                            • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                            • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                            • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                            • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
                                                                                            • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08
                                                                                            • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                            • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                                          • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                          • API String ID: 3869789854-2936008475
                                                                                          • Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                          • Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
                                                                                          • Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                          • Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E
                                                                                          APIs
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Close
                                                                                          • String ID: RegisteredOrganization$RegisteredOwner
                                                                                          • API String ID: 3535843008-1113070880
                                                                                          • Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                          • Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
                                                                                          • Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                          • Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
                                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288
                                                                                            • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCreateErrorFileHandleLast
                                                                                          • String ID: CreateFile
                                                                                          • API String ID: 2528220319-823142352
                                                                                          • Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                          • Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
                                                                                          • Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                          • Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Open
                                                                                          • String ID: System\CurrentControlSet\Control\Windows$;H
                                                                                          • API String ID: 71445658-2565060666
                                                                                          • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                          • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                                          • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                          • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                                          APIs
                                                                                            • Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A
                                                                                            • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                            • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                          • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                          • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                          • API String ID: 2906209438-2320870614
                                                                                          • Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                          • Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
                                                                                          • Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                          • Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E
                                                                                          APIs
                                                                                            • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                            • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                          • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressErrorLibraryLoadModeProc
                                                                                          • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                          • API String ID: 2492108670-2683653824
                                                                                          • Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                          • Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
                                                                                          • Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                          • Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F
                                                                                          APIs
                                                                                          • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2574300362-0
                                                                                          • Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                          • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                                          • Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                          • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                                          APIs
                                                                                          • GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
                                                                                          • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
                                                                                          • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$Append$System
                                                                                          • String ID:
                                                                                          • API String ID: 1489644407-0
                                                                                          • Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                          • Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
                                                                                          • Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                          • Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D
                                                                                          APIs
                                                                                          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                                          • TranslateMessage.USER32(?), ref: 0042448F
                                                                                          • DispatchMessageA.USER32(?), ref: 00424499
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message$DispatchPeekTranslate
                                                                                          • String ID:
                                                                                          • API String ID: 4217535847-0
                                                                                          • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                          • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                                          • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                          • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                                          APIs
                                                                                          • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                                          • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Prop$Window
                                                                                          • String ID:
                                                                                          • API String ID: 3363284559-0
                                                                                          • Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                          • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                                          • Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                          • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                                          APIs
                                                                                          • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                                          • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                                          • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$EnableEnabledVisible
                                                                                          • String ID:
                                                                                          • API String ID: 3234591441-0
                                                                                          • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                          • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                                          • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                          • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                                          APIs
                                                                                          • SetActiveWindow.USER32(?), ref: 0046A02D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ActiveWindow
                                                                                          • String ID: PrepareToInstall
                                                                                          • API String ID: 2558294473-1101760603
                                                                                          • Opcode ID: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                          • Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
                                                                                          • Opcode Fuzzy Hash: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                          • Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: /:*?"<>|
                                                                                          • API String ID: 0-4078764451
                                                                                          • Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                          • Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
                                                                                          • Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                          • Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E
                                                                                          APIs
                                                                                          • SetActiveWindow.USER32(?), ref: 00482676
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ActiveWindow
                                                                                          • String ID: InitializeWizard
                                                                                          • API String ID: 2558294473-2356795471
                                                                                          • Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                          • Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
                                                                                          • Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                          • Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E
                                                                                          APIs
                                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539
                                                                                          Strings
                                                                                          • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpen
                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                          • API String ID: 47109696-1019749484
                                                                                          • Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                          • Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
                                                                                          • Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                          • Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC
                                                                                          APIs
                                                                                          • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                          Strings
                                                                                          • Inno Setup: Setup Version, xrefs: 0046EE65
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Value
                                                                                          • String ID: Inno Setup: Setup Version
                                                                                          • API String ID: 3702945584-4166306022
                                                                                          • Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                          • Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
                                                                                          • Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                          • Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9
                                                                                          APIs
                                                                                          • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Value
                                                                                          • String ID: NoModify
                                                                                          • API String ID: 3702945584-1699962838
                                                                                          • Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                          • Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
                                                                                          • Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                          • Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669
                                                                                          APIs
                                                                                          • GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA
                                                                                            • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                                            • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                                            • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                                          • SendNotifyMessageA.USER32(000203CE,00000496,00002711,-00000001), ref: 0047E6BA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                          • String ID:
                                                                                          • API String ID: 2649214853-0
                                                                                          • Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                          • Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
                                                                                          • Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                          • Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D
                                                                                            • Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMetricsMultiSystemWide
                                                                                          • String ID: /G
                                                                                          • API String ID: 224039744-2088674125
                                                                                          • Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                          • Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
                                                                                          • Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                          • Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99
                                                                                          APIs
                                                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                                                            • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0219C170,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                            • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0219C170,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                            • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0219C170,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                            • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0219C170,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                          • String ID:
                                                                                          • API String ID: 296031713-0
                                                                                          • Opcode ID: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                          • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                                                          • Opcode Fuzzy Hash: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                          • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                                                          APIs
                                                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                                          • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseEnum
                                                                                          • String ID:
                                                                                          • API String ID: 2818636725-0
                                                                                          • Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                          • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                                          • Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                          • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                                          APIs
                                                                                            • Part of subcall function 00495508: GetDC.USER32(00000000), ref: 00495519
                                                                                            • Part of subcall function 00495508: SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                            • Part of subcall function 00495508: GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                            • Part of subcall function 00495508: GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                            • Part of subcall function 00495508: ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                          • MulDiv.KERNEL32(?,?,00000006), ref: 00495AFB
                                                                                          • MulDiv.KERNEL32(?,?,0000000D), ref: 00495B10
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Text$ExtentMetricsObjectPointReleaseSelect
                                                                                          • String ID:
                                                                                          • API String ID: 844173074-0
                                                                                          • Opcode ID: 0ae29da0906a83ea8dd71af8a3b995980c0d8de00cfc8428832f083f9a8e0037
                                                                                          • Instruction ID: abe69acf9078cd54ec5aa8dad2b6463f40ee800cf76dae291ad797c0d2ca63cb
                                                                                          • Opcode Fuzzy Hash: 0ae29da0906a83ea8dd71af8a3b995980c0d8de00cfc8428832f083f9a8e0037
                                                                                          • Instruction Fuzzy Hash: FC21D6713012009FDB50DF69C8C5AA637E9EB89314F6446B9FD08CF29ADB35EC058B65
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                                          • GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateErrorLastProcess
                                                                                          • String ID:
                                                                                          • API String ID: 2919029540-0
                                                                                          • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                          • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                                          • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                          • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                                          APIs
                                                                                          • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                                          • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$FindFree
                                                                                          • String ID:
                                                                                          • API String ID: 4097029671-0
                                                                                          • Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                          • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                                          • Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                          • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                                          APIs
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                          • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$CurrentEnumWindows
                                                                                          • String ID:
                                                                                          • API String ID: 2396873506-0
                                                                                          • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                          • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                                          • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                          • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                                          APIs
                                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastMove
                                                                                          • String ID:
                                                                                          • API String ID: 55378915-0
                                                                                          • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                          • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                                          • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                          • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                                          APIs
                                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                          • String ID:
                                                                                          • API String ID: 1375471231-0
                                                                                          • Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                          • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                                          • Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                          • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                                          APIs
                                                                                          • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                                          • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CursorLoad
                                                                                          • String ID:
                                                                                          • API String ID: 3238433803-0
                                                                                          • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                          • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                                          • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                          • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                          • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLibraryLoadMode
                                                                                          • String ID:
                                                                                          • API String ID: 2987862817-0
                                                                                          • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                          • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                                          • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                          • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                                          APIs
                                                                                          • SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C89B
                                                                                          • CoTaskMemFree.OLE32(?,0047C8DE), ref: 0047C8D1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FolderFreeKnownPathTask
                                                                                          • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                          • API String ID: 969438705-544719455
                                                                                          • Opcode ID: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                          • Instruction ID: f48ec61de784b6bea0373c7a91bc006da4a0813e938d35ae17fa89473a65de5f
                                                                                          • Opcode Fuzzy Hash: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                          • Instruction Fuzzy Hash: 22E09230340604BFEB15EB61DC92F6977A8EB48B01B72847BF504E2680D67CAD00DB1C
                                                                                          APIs
                                                                                          • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
                                                                                          • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916
                                                                                            • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$FilePointer
                                                                                          • String ID:
                                                                                          • API String ID: 1156039329-0
                                                                                          • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                          • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                                                          • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                          • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Virtual$AllocFree
                                                                                          • String ID:
                                                                                          • API String ID: 2087232378-0
                                                                                          • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                          • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                          • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                          • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                          APIs
                                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                                            • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                                            • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                          • String ID:
                                                                                          • API String ID: 1658689577-0
                                                                                          • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                          • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                                          • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                          • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                                          APIs
                                                                                          • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoScroll
                                                                                          • String ID:
                                                                                          • API String ID: 629608716-0
                                                                                          • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                          • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                                          • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                          • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                                          APIs
                                                                                            • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                            • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                          • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492
                                                                                            • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                                            • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3319771486-0
                                                                                          • Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                          • Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
                                                                                          • Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                          • Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3934441357-0
                                                                                          • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                          • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                                                          • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                          • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                                                          APIs
                                                                                          • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                          • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                                          • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                          • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                                          APIs
                                                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallbackDispatcherUser
                                                                                          • String ID:
                                                                                          • API String ID: 2492992576-0
                                                                                          • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                          • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                          • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                          • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                          • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                          • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                          • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                          APIs
                                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFile
                                                                                          • String ID:
                                                                                          • API String ID: 3188754299-0
                                                                                          • Opcode ID: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                          • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                                          • Opcode Fuzzy Hash: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                          • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                                          APIs
                                                                                          • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FormatMessage
                                                                                          • String ID:
                                                                                          • API String ID: 1306739567-0
                                                                                          • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                          • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                                          • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                          • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                                          APIs
                                                                                          • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExtentPointText
                                                                                          • String ID:
                                                                                          • API String ID: 566491939-0
                                                                                          • Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                          • Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
                                                                                          • Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                          • Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE
                                                                                          APIs
                                                                                          • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                          • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                                          • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                          • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                          • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                                          • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                          • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                                          APIs
                                                                                          • FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseFind
                                                                                          • String ID:
                                                                                          • API String ID: 1863332320-0
                                                                                          • Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                          • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                                          • Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                          • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                                          APIs
                                                                                          • KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallbackDispatcherUser
                                                                                          • String ID:
                                                                                          • API String ID: 2492992576-0
                                                                                          • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                          • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                          • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                          • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3934441357-0
                                                                                          • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                          • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                                          • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                          • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                                          APIs
                                                                                            • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                                          • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                            • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoParametersSystem$ShowWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3202724764-0
                                                                                          • Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                          • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                                          • Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                          • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                                          APIs
                                                                                          • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: TextWindow
                                                                                          • String ID:
                                                                                          • API String ID: 530164218-0
                                                                                          • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                          • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                                          • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                          • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                                          APIs
                                                                                          • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallbackDispatcherUser
                                                                                          • String ID:
                                                                                          • API String ID: 2492992576-0
                                                                                          • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                          • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                          • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                          • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                          APIs
                                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFile
                                                                                          • String ID:
                                                                                          • API String ID: 3188754299-0
                                                                                          • Opcode ID: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                          • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                                          • Opcode Fuzzy Hash: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                          • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                          • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                          • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                          • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                          APIs
                                                                                          • SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                            • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLast
                                                                                          • String ID:
                                                                                          • API String ID: 734332943-0
                                                                                          • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                          • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                                          • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                          • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                                          APIs
                                                                                          • SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentDirectory
                                                                                          • String ID:
                                                                                          • API String ID: 1611563598-0
                                                                                          • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                          • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                                          • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                          • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode
                                                                                          • String ID:
                                                                                          • API String ID: 2340568224-0
                                                                                          • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                          • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                                          • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                          • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: DestroyWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3375834691-0
                                                                                          • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                          • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                                          • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                          • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                          • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                                          • Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                          • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                          • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                                          • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                          • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast
                                                                                          • String ID:
                                                                                          • API String ID: 1452528299-0
                                                                                          • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                          • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                                          • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                          • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                                          APIs
                                                                                          • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 1263568516-0
                                                                                          • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                          • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                          • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                          • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                          • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                          • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                          • Instruction Fuzzy Hash:
                                                                                          APIs
                                                                                          • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                          • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                          • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                          • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                          • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                          • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                          • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                          • API String ID: 2323315520-3614243559
                                                                                          • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                          • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                                          • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                          • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0045862F
                                                                                          • QueryPerformanceCounter.KERNEL32(02133858,00000000,004588C2,?,?,02133858,00000000,?,00458FBE,?,02133858,00000000), ref: 00458638
                                                                                          • GetSystemTimeAsFileTime.KERNEL32(02133858,02133858), ref: 00458642
                                                                                          • GetCurrentProcessId.KERNEL32(?,02133858,00000000,004588C2,?,?,02133858,00000000,?,00458FBE,?,02133858,00000000), ref: 0045864B
                                                                                          • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
                                                                                          • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02133858,02133858), ref: 004586CF
                                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
                                                                                          • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750
                                                                                            • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                          • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
                                                                                          • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
                                                                                          • CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867
                                                                                            • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                          • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                          • API String ID: 770386003-3271284199
                                                                                          • Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                          • Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
                                                                                          • Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                          • Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69
                                                                                          APIs
                                                                                            • Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02132BD8,?,?,?,02132BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                            • Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                            • Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132BD8,?,?,?,02132BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                            • Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132BD8,?,?,?,02132BD8), ref: 004783CC
                                                                                            • Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,02132BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                            • Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,02132BD8,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478
                                                                                          • ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
                                                                                          • GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
                                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
                                                                                          • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
                                                                                          • CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                          • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                          • API String ID: 883996979-221126205
                                                                                          • Opcode ID: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                          • Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
                                                                                          • Opcode Fuzzy Hash: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                          • Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D
                                                                                          APIs
                                                                                          • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                                          • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSendShowWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1631623395-0
                                                                                          • Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                          • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                                          • Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                          • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                                          APIs
                                                                                          • IsIconic.USER32(?), ref: 00418393
                                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                                          • GetWindowRect.USER32(?), ref: 004183CC
                                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                                          • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                                          • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                                          • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                          • String ID: ,
                                                                                          • API String ID: 2266315723-3772416878
                                                                                          • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                          • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                                          • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                          • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                                          • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                          • String ID: SeShutdownPrivilege
                                                                                          • API String ID: 107509674-3733053543
                                                                                          • Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                          • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                                          • Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                          • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                                          APIs
                                                                                          • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
                                                                                          • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
                                                                                          • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
                                                                                          • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$CryptVersion
                                                                                          • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                          • API String ID: 1951258720-508647305
                                                                                          • Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                          • Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
                                                                                          • Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                          • Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C
                                                                                          APIs
                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
                                                                                          • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
                                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
                                                                                          • FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileFind$AttributesCloseFirstNext
                                                                                          • String ID: isRS-$isRS-???.tmp
                                                                                          • API String ID: 134685335-3422211394
                                                                                          • Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                          • Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
                                                                                          • Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                          • Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58
                                                                                          APIs
                                                                                          • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
                                                                                          • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
                                                                                          • SetForegroundWindow.USER32(?), ref: 00457649
                                                                                          • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C
                                                                                          Strings
                                                                                          • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                          • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                          • API String ID: 2236967946-3182603685
                                                                                          • Opcode ID: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                          • Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
                                                                                          • Opcode Fuzzy Hash: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                          • Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                          • API String ID: 1646373207-3712701948
                                                                                          • Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                          • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                                          • Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                          • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                                          APIs
                                                                                          • IsIconic.USER32(?), ref: 00417D0F
                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Placement$Iconic
                                                                                          • String ID: ,
                                                                                          • API String ID: 568898626-3772416878
                                                                                          • Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                          • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                                          • Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                          • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
                                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
                                                                                          • FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseErrorFirstModeNext
                                                                                          • String ID:
                                                                                          • API String ID: 4011626565-0
                                                                                          • Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                          • Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
                                                                                          • Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                          • Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
                                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
                                                                                          • FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseErrorFirstModeNext
                                                                                          • String ID:
                                                                                          • API String ID: 4011626565-0
                                                                                          • Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                          • Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
                                                                                          • Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                          • Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                                          • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                                          • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                                          • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                          • String ID:
                                                                                          • API String ID: 1177325624-0
                                                                                          • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                          • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                                          • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                          • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                                          APIs
                                                                                          • IsIconic.USER32(?), ref: 0048397A
                                                                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
                                                                                          • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
                                                                                          • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Show$IconicLong
                                                                                          • String ID:
                                                                                          • API String ID: 2754861897-0
                                                                                          • Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                          • Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
                                                                                          • Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                          • Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C
                                                                                          APIs
                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
                                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
                                                                                          • FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseFirstNext
                                                                                          • String ID:
                                                                                          • API String ID: 3541575487-0
                                                                                          • Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                          • Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
                                                                                          • Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                          • Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69
                                                                                          APIs
                                                                                          • IsIconic.USER32(?), ref: 004241E4
                                                                                          • SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1
                                                                                            • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                            • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021325AC,0042420A,?,?,?,0046CD53), ref: 00423B4F
                                                                                          • SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ActiveFocusIconicShow
                                                                                          • String ID:
                                                                                          • API String ID: 649377781-0
                                                                                          • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                          • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                                          • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                          • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                                          APIs
                                                                                          • IsIconic.USER32(?), ref: 00417D0F
                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Placement$Iconic
                                                                                          • String ID:
                                                                                          • API String ID: 568898626-0
                                                                                          • Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                          • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                                          • Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                          • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CaptureIconic
                                                                                          • String ID:
                                                                                          • API String ID: 2277910766-0
                                                                                          • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                          • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                                          • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                          • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                                          APIs
                                                                                          • IsIconic.USER32(?), ref: 0042419B
                                                                                            • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                            • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                            • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                            • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                          • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                                            • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                          • String ID:
                                                                                          • API String ID: 2671590913-0
                                                                                          • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                          • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                                          • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                          • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                                          APIs
                                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: NtdllProc_Window
                                                                                          • String ID:
                                                                                          • API String ID: 4255912815-0
                                                                                          • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                          • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                                          • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                          • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                                          APIs
                                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: NtdllProc_Window
                                                                                          • String ID:
                                                                                          • API String ID: 4255912815-0
                                                                                          • Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                          • Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
                                                                                          • Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                          • Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58
                                                                                          APIs
                                                                                          • ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CryptFour
                                                                                          • String ID:
                                                                                          • API String ID: 2153018856-0
                                                                                          • Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                          • Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
                                                                                          • Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                          • Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574
                                                                                          APIs
                                                                                          • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CryptFour
                                                                                          • String ID:
                                                                                          • API String ID: 2153018856-0
                                                                                          • Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                          • Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
                                                                                          • Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                          • Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2614864790.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2614779308.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2614930239.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_10000000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                          • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                          • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                          • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2614864790.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2614779308.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2614930239.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_10000000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                          • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                          • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                          • Instruction Fuzzy Hash:
                                                                                          APIs
                                                                                            • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                                          • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                          • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                          • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                          • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                          • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                                          • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                                          • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                                          • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                                          • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                                          • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                                          • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                                          • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoadVersion
                                                                                          • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                          • API String ID: 1968650500-2910565190
                                                                                          • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                          • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                                          • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                          • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                                          APIs
                                                                                          • GetDC.USER32(00000000), ref: 0041CA40
                                                                                          • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                                          • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                                          • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                                          • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                                          • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                                          • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                                          • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                                          • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                                          • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                                          • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                                          • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                                          • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                                          • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                                          • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                                          • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                                          • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                                          • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                                            • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                          • String ID:
                                                                                          • API String ID: 269503290-0
                                                                                          • Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                          • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                                          • Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                          • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                                          APIs
                                                                                          • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
                                                                                          • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0045685B
                                                                                          Strings
                                                                                          • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
                                                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
                                                                                          • IPersistFile::Save, xrefs: 00456962
                                                                                          • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
                                                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
                                                                                          • IPropertyStore::Commit, xrefs: 004568E3
                                                                                          • CoCreateInstance, xrefs: 004566AF
                                                                                          • {pf32}\, xrefs: 0045671E
                                                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
                                                                                          • %ProgramFiles(x86)%\, xrefs: 0045672E
                                                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateInstance$FreeString
                                                                                          • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                          • API String ID: 308859552-2363233914
                                                                                          • Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                          • Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
                                                                                          • Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                          • Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69
                                                                                          APIs
                                                                                          • ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
                                                                                          • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
                                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
                                                                                          • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7
                                                                                            • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                          • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                          • API String ID: 2000705611-3672972446
                                                                                          • Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                          • Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
                                                                                          • Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                          • Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(00000000,0045A994,?,?,?,?,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 0045A846
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast
                                                                                          • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                          • API String ID: 1452528299-3112430753
                                                                                          • Opcode ID: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                                          • Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
                                                                                          • Opcode Fuzzy Hash: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                                          • Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E
                                                                                          APIs
                                                                                          • GetVersion.KERNEL32 ref: 0045CBDA
                                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
                                                                                          • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
                                                                                          • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
                                                                                          • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22
                                                                                            • Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41
                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
                                                                                          • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                          • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                          • API String ID: 59345061-4263478283
                                                                                          • Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                          • Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
                                                                                          • Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                          • Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9
                                                                                          APIs
                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                                          • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                                          • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                                          • GetDC.USER32(00000000), ref: 0041B402
                                                                                          • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                                          • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                          • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                          • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                          • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                          • String ID:
                                                                                          • API String ID: 644427674-0
                                                                                          • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                          • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                                          • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                          • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                                          APIs
                                                                                            • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
                                                                                          • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
                                                                                          • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
                                                                                          • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                          • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                          • API String ID: 971782779-3668018701
                                                                                          • Opcode ID: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                          • Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
                                                                                          • Opcode Fuzzy Hash: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                          • Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69
                                                                                          APIs
                                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AB6A,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                                            • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                          • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                                          • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                                          Strings
                                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                                          • , xrefs: 004548FE
                                                                                          • RegOpenKeyEx, xrefs: 00454910
                                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: QueryValue$FormatMessageOpen
                                                                                          • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                          • API String ID: 2812809588-1577016196
                                                                                          • Opcode ID: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                          • Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
                                                                                          • Opcode Fuzzy Hash: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                          • Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                                          APIs
                                                                                            • Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569
                                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0
                                                                                          Strings
                                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
                                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
                                                                                          • v4.0.30319, xrefs: 004594F1
                                                                                          • .NET Framework not found, xrefs: 0045961D
                                                                                          • v2.0.50727, xrefs: 0045955B
                                                                                          • .NET Framework version %s not found, xrefs: 00459609
                                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
                                                                                          • v1.1.4322, xrefs: 004595C2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Close$Open
                                                                                          • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                          • API String ID: 2976201327-446240816
                                                                                          • Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                          • Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
                                                                                          • Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                          • Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19
                                                                                          APIs
                                                                                          • CloseHandle.KERNEL32(?), ref: 00458A7B
                                                                                          • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
                                                                                          • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
                                                                                          • GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
                                                                                          • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19
                                                                                          Strings
                                                                                          • Helper process exited., xrefs: 00458AC5
                                                                                          • Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
                                                                                          • Helper process exited, but failed to get exit code., xrefs: 00458AEF
                                                                                          • Helper isn't responding; killing it., xrefs: 00458A87
                                                                                          • Helper process exited with failure code: 0x%x, xrefs: 00458AE3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                          • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                          • API String ID: 3355656108-1243109208
                                                                                          • Opcode ID: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                          • Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
                                                                                          • Opcode Fuzzy Hash: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                          • Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A
                                                                                          APIs
                                                                                            • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                                            • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                          Strings
                                                                                          • RegCreateKeyEx, xrefs: 004545C3
                                                                                          • , xrefs: 004545B1
                                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCreateFormatMessageQueryValue
                                                                                          • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                          • API String ID: 2481121983-1280779767
                                                                                          • Opcode ID: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                          • Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
                                                                                          • Opcode Fuzzy Hash: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                          • Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69
                                                                                          APIs
                                                                                            • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                            • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                          • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
                                                                                          • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
                                                                                          • CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
                                                                                          • SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
                                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
                                                                                          • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8
                                                                                            • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                          • DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                          • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                          • API String ID: 1549857992-2312673372
                                                                                          • Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                          • Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
                                                                                          • Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                          • Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
                                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressCloseHandleModuleProc
                                                                                          • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                                          • API String ID: 4190037839-2312295185
                                                                                          • Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                          • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                                          • Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                          • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                                          APIs
                                                                                          • GetActiveWindow.USER32 ref: 004629FC
                                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
                                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
                                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
                                                                                          • GetWindowRect.USER32(?,00000000), ref: 00462A76
                                                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                          • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                          • API String ID: 2610873146-3407710046
                                                                                          • Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                          • Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
                                                                                          • Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                          • Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A
                                                                                          APIs
                                                                                          • GetActiveWindow.USER32 ref: 0042F194
                                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                                          • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                          • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                          • API String ID: 2610873146-3407710046
                                                                                          • Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                          • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                                          • Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                          • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,02133858,00000000), ref: 00458C79
                                                                                          • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02133858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
                                                                                          • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02133858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
                                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
                                                                                          • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02133858,?,00000000,00458D90,?,00000000), ref: 00458D55
                                                                                          • GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02133858,?,00000000,00458D90,?,00000000), ref: 00458D5C
                                                                                            • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                          • String ID: CreateEvent$TransactNamedPipe
                                                                                          • API String ID: 2182916169-3012584893
                                                                                          • Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                          • Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
                                                                                          • Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                          • Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85,?,?,00000031,?), ref: 00456D48
                                                                                          • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
                                                                                          • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B
                                                                                            • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                          • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                          • API String ID: 1914119943-2711329623
                                                                                          • Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                          • Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
                                                                                          • Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                          • Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28
                                                                                          APIs
                                                                                          • RectVisible.GDI32(?,?), ref: 00416E13
                                                                                          • SaveDC.GDI32(?), ref: 00416E27
                                                                                          • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                                          • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                                          • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                                          • DeleteObject.GDI32(?), ref: 00416F22
                                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                                          • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                                          • DeleteObject.GDI32(?), ref: 00416F6F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                          • String ID:
                                                                                          • API String ID: 375863564-0
                                                                                          • Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                          • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                                          • Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                          • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                          • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                          • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                          • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                          • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                          • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                          • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                          • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                          • String ID:
                                                                                          • API String ID: 1694776339-0
                                                                                          • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                          • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                          • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                          • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                          APIs
                                                                                          • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                                          • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                                          • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                                          • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                                          • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                                          • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                                          • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                                          • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                                          • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                                          • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$Delete$EnableItem$System
                                                                                          • String ID:
                                                                                          • API String ID: 3985193851-0
                                                                                          • Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                          • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                                          • Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                          • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                                          APIs
                                                                                          • FreeLibrary.KERNEL32(10000000), ref: 00481A11
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00481A25
                                                                                          • SendNotifyMessageA.USER32(000203CE,00000496,00002710,00000000), ref: 00481A97
                                                                                          Strings
                                                                                          • GetCustomSetupExitCode, xrefs: 004818B1
                                                                                          • Deinitializing Setup., xrefs: 00481872
                                                                                          • DeinitializeSetup, xrefs: 0048190D
                                                                                          • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
                                                                                          • Restarting Windows., xrefs: 00481A72
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeLibrary$MessageNotifySend
                                                                                          • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                          • API String ID: 3817813901-1884538726
                                                                                          • Opcode ID: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                          • Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
                                                                                          • Opcode Fuzzy Hash: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                          • Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D
                                                                                          APIs
                                                                                          • SHGetMalloc.SHELL32(?), ref: 004616C7
                                                                                          • GetActiveWindow.USER32 ref: 0046172B
                                                                                          • CoInitialize.OLE32(00000000), ref: 0046173F
                                                                                          • SHBrowseForFolder.SHELL32(?), ref: 00461756
                                                                                          • CoUninitialize.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
                                                                                          • SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
                                                                                          • SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                          • String ID: A
                                                                                          • API String ID: 2684663990-3554254475
                                                                                          • Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                          • Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
                                                                                          • Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                          • Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59
                                                                                          APIs
                                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C
                                                                                            • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                                            • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
                                                                                          • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                          • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                          • API String ID: 884541143-1710247218
                                                                                          • Opcode ID: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                          • Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
                                                                                          • Opcode Fuzzy Hash: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                          • Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C
                                                                                          APIs
                                                                                          • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
                                                                                          • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
                                                                                          • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
                                                                                          • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc
                                                                                          • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                          • API String ID: 190572456-3516654456
                                                                                          • Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                          • Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
                                                                                          • Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                          • Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E
                                                                                          APIs
                                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                                          • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                                          • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                                          • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Color$StretchText
                                                                                          • String ID:
                                                                                          • API String ID: 2984075790-0
                                                                                          • Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                          • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                                          • Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                          • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                                          APIs
                                                                                            • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                          • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseDirectoryHandleSystem
                                                                                          • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                          • API String ID: 2051275411-1862435767
                                                                                          • Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                          • Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
                                                                                          • Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                          • Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19
                                                                                          APIs
                                                                                          • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                                          • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                                          • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                                          • GetSysColor.USER32(00000010), ref: 0044D202
                                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Text$Color$Draw$OffsetRect
                                                                                          • String ID:
                                                                                          • API String ID: 1005981011-0
                                                                                          • Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                          • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                                          • Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                          • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                                          APIs
                                                                                          • GetFocus.USER32 ref: 0041B745
                                                                                          • GetDC.USER32(?), ref: 0041B751
                                                                                          • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                                          • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                                          • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                                          • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                          • String ID: %H
                                                                                          • API String ID: 3275473261-1959103961
                                                                                          • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                          • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                                          • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                          • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                                          APIs
                                                                                          • GetFocus.USER32 ref: 0041BA17
                                                                                          • GetDC.USER32(?), ref: 0041BA23
                                                                                          • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                                          • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                                          • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                                          • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                          • String ID: %H
                                                                                          • API String ID: 3275473261-1959103961
                                                                                          • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                          • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                                          • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                          • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                                          APIs
                                                                                            • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                            • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
                                                                                          • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
                                                                                          • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
                                                                                          • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
                                                                                          • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8
                                                                                          Strings
                                                                                          • Deleting Uninstall data files., xrefs: 004964FB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                          • String ID: Deleting Uninstall data files.
                                                                                          • API String ID: 1570157960-2568741658
                                                                                          • Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                          • Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
                                                                                          • Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                          • Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D
                                                                                          APIs
                                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
                                                                                          • AddFontResourceA.GDI32(00000000), ref: 00470297
                                                                                          • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB
                                                                                          Strings
                                                                                          • Failed to set value in Fonts registry key., xrefs: 0047026C
                                                                                          • AddFontResource, xrefs: 004702B5
                                                                                          • Failed to open Fonts registry key., xrefs: 00470281
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                          • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                          • API String ID: 955540645-649663873
                                                                                          • Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                          • Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
                                                                                          • Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                          • Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D
                                                                                          APIs
                                                                                            • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                            • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                            • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                                          • GetVersion.KERNEL32 ref: 00462E60
                                                                                          • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
                                                                                          • SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
                                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
                                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
                                                                                          • SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                          • String ID: Explorer
                                                                                          • API String ID: 2594429197-512347832
                                                                                          • Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                          • Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
                                                                                          • Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                          • Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02132BD8,?,?,?,02132BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132BD8,?,?,?,02132BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                          • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132BD8,?,?,?,02132BD8), ref: 004783CC
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,02132BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                          • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                          • API String ID: 2704155762-2318956294
                                                                                          • Opcode ID: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                          • Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
                                                                                          • Opcode Fuzzy Hash: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                          • Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(00000000,00459F8E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 00459ED2
                                                                                            • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                                          Strings
                                                                                          • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
                                                                                          • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
                                                                                          • Deleting directory: %s, xrefs: 00459E5B
                                                                                          • Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
                                                                                          • Failed to delete directory (%d)., xrefs: 00459F68
                                                                                          • Stripped read-only attribute., xrefs: 00459E94
                                                                                          • Failed to strip read-only attribute., xrefs: 00459EA0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseErrorFindLast
                                                                                          • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                          • API String ID: 754982922-1448842058
                                                                                          • Opcode ID: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                          • Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
                                                                                          • Opcode Fuzzy Hash: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                          • Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E
                                                                                          APIs
                                                                                          • GetCapture.USER32 ref: 00422EA4
                                                                                          • GetCapture.USER32 ref: 00422EB3
                                                                                          • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                                          • ReleaseCapture.USER32 ref: 00422EBE
                                                                                          • GetActiveWindow.USER32 ref: 00422ECD
                                                                                          • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                                          • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                                          • GetActiveWindow.USER32 ref: 00422FBF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                          • String ID:
                                                                                          • API String ID: 862346643-0
                                                                                          • Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                          • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                                          • Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                          • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                                          APIs
                                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                                          • GetActiveWindow.USER32 ref: 0042F2DA
                                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                                          • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ActiveLong$Message
                                                                                          • String ID:
                                                                                          • API String ID: 2785966331-0
                                                                                          • Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                          • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                                          • Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                          • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                                          APIs
                                                                                          • GetDC.USER32(00000000), ref: 0042948A
                                                                                          • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                                            • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                                          • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                                          • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                                          • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                          • String ID:
                                                                                          • API String ID: 1583807278-0
                                                                                          • Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                          • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                                          • Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                          • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                                          APIs
                                                                                          • GetDC.USER32(00000000), ref: 0041DE27
                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                                          • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                                          • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                                          • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                                          • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                                          • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                          • String ID:
                                                                                          • API String ID: 225703358-0
                                                                                          • Opcode ID: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                                          • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                                          • Opcode Fuzzy Hash: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                                          • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                                          APIs
                                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 00463344
                                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
                                                                                          • SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Cursor$Load
                                                                                          • String ID: $ $Internal error: Item already expanding
                                                                                          • API String ID: 1675784387-1948079669
                                                                                          • Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                          • Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
                                                                                          • Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                          • Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A
                                                                                          APIs
                                                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: PrivateProfileStringWrite
                                                                                          • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                          • API String ID: 390214022-3304407042
                                                                                          • Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                          • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                                          • Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                          • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                                          APIs
                                                                                          • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
                                                                                          • SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
                                                                                          • GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
                                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClassInfoLongMessageSendWindow
                                                                                          • String ID: COMBOBOX$Inno Setup: Language
                                                                                          • API String ID: 3391662889-4234151509
                                                                                          • Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                          • Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
                                                                                          • Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                          • Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58
                                                                                          APIs
                                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                                            • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                            • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoLocale$DefaultSystem
                                                                                          • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                          • API String ID: 1044490935-665933166
                                                                                          • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                          • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                                          • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                          • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                                          APIs
                                                                                          • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                                          • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                                            • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                                          • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                                            • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                                          • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                          • String ID: ,$?
                                                                                          • API String ID: 2359071979-2308483597
                                                                                          • Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                          • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                                          • Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                          • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                                          APIs
                                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                                          • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                                          • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                                          • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                                          • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                                          • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                          • String ID:
                                                                                          • API String ID: 1030595962-0
                                                                                          • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                          • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                                          • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                          • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                                          APIs
                                                                                          • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                                          • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                                          • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                                          • RealizePalette.GDI32(?), ref: 0041CF92
                                                                                          • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                                          • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                                          • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                          • String ID:
                                                                                          • API String ID: 2222416421-0
                                                                                          • Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                          • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                                          • Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                          • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                                          APIs
                                                                                          • SendMessageA.USER32(00000000,?,?), ref: 0045732E
                                                                                            • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                                            • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                            • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                            • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
                                                                                          • TranslateMessage.USER32(?), ref: 004573B3
                                                                                          • DispatchMessageA.USER32(?), ref: 004573BC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                          • String ID: [Paused]
                                                                                          • API String ID: 1007367021-4230553315
                                                                                          • Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                          • Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
                                                                                          • Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                          • Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69
                                                                                          APIs
                                                                                          • GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
                                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
                                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
                                                                                          • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
                                                                                          • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Cursor$LoadSleep
                                                                                          • String ID: CheckPassword
                                                                                          • API String ID: 4023313301-1302249611
                                                                                          • Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                          • Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
                                                                                          • Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                          • Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99
                                                                                          APIs
                                                                                            • Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                            • Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                            • Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                          • SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
                                                                                          • GetTickCount.KERNEL32 ref: 00477CE6
                                                                                          • GetTickCount.KERNEL32 ref: 00477CF0
                                                                                          • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45
                                                                                          Strings
                                                                                          • CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
                                                                                          • CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                          • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                          • API String ID: 613034392-3771334282
                                                                                          • Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                          • Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
                                                                                          • Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                          • Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD
                                                                                          APIs
                                                                                          • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045983F
                                                                                          Strings
                                                                                          • .NET Framework CreateAssemblyCache function failed, xrefs: 00459862
                                                                                          • CreateAssemblyCache, xrefs: 00459836
                                                                                          • Failed to load .NET Framework DLL "%s", xrefs: 00459824
                                                                                          • Fusion.dll, xrefs: 004597DF
                                                                                          • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc
                                                                                          • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                          • API String ID: 190572456-3990135632
                                                                                          • Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                          • Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
                                                                                          • Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                          • Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799
                                                                                          APIs
                                                                                            • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                                          • GetFocus.USER32 ref: 0041C168
                                                                                          • GetDC.USER32(?), ref: 0041C174
                                                                                          • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                                          • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                                          • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                                          • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                                          • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                          • String ID:
                                                                                          • API String ID: 3303097818-0
                                                                                          • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                          • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                                          • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                          • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                                          APIs
                                                                                          • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                                          • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                                          • 6FB62980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                                            • Part of subcall function 004107F8: 6FB5C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                                          • 6FBCCB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                                          • 6FBCC740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                                          • 6FBCCB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                                          • 6FB60860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: MetricsSystem$B60860B62980C400C740
                                                                                          • String ID:
                                                                                          • API String ID: 2995079530-0
                                                                                          • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                          • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                                          • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                          • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                                          APIs
                                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpen
                                                                                          • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                          • API String ID: 47109696-2530820420
                                                                                          • Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                          • Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
                                                                                          • Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                          • Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C
                                                                                          APIs
                                                                                          • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                          • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                          • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                          • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ObjectSelect$Delete$Stretch
                                                                                          • String ID:
                                                                                          • API String ID: 1458357782-0
                                                                                          • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                          • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                                          • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                          • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                                          APIs
                                                                                          • GetCursorPos.USER32 ref: 004233AF
                                                                                          • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                                          • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                                          • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                                          • SetCursor.USER32(00000000), ref: 00423413
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1770779139-0
                                                                                          • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                          • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                                          • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                          • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
                                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
                                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModule
                                                                                          • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                          • API String ID: 667068680-2254406584
                                                                                          • Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                          • Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
                                                                                          • Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                          • Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED
                                                                                          APIs
                                                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
                                                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
                                                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc
                                                                                          • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                          • API String ID: 190572456-212574377
                                                                                          • Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                          • Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
                                                                                          • Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                          • Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
                                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                                          • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                                            • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                            • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                            • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                          • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                          • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                          • API String ID: 142928637-2676053874
                                                                                          • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                          • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                                          • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                          • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                                          • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                                          • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                          • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                          • API String ID: 2238633743-1050967733
                                                                                          • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                          • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                                          • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                          • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                          • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                          • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModule
                                                                                          • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                          • API String ID: 667068680-222143506
                                                                                          • Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                          • Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
                                                                                          • Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                          • Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C
                                                                                          APIs
                                                                                          • GetFocus.USER32 ref: 0041B57E
                                                                                          • GetDC.USER32(?), ref: 0041B58A
                                                                                          • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                                          • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                                          • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                                          • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                          • String ID:
                                                                                          • API String ID: 2502006586-0
                                                                                          • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                          • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                                          • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                          • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                                          APIs
                                                                                          • SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                          • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast
                                                                                          • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                          • API String ID: 1452528299-1580325520
                                                                                          • Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                          • Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
                                                                                          • Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                          • Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E
                                                                                          APIs
                                                                                          • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                                          • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                                          • GetDC.USER32(00000000), ref: 0041BDE9
                                                                                          • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CapsDeviceMetricsSystem$Release
                                                                                          • String ID:
                                                                                          • API String ID: 447804332-0
                                                                                          • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                          • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                                          • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                          • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                                          APIs
                                                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                          • LocalFree.KERNEL32(0054E4B8,00000000,00401B68), ref: 00401ACF
                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,0054E4B8,00000000,00401B68), ref: 00401AEE
                                                                                          • LocalFree.KERNEL32(0054F4B8,?,00000000,00008000,0054E4B8,00000000,00401B68), ref: 00401B2D
                                                                                          • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                          • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 3782394904-0
                                                                                          • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                          • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                          • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                          • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                          APIs
                                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0047E766
                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
                                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
                                                                                          • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
                                                                                          • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Long$Show
                                                                                          • String ID:
                                                                                          • API String ID: 3609083571-0
                                                                                          • Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                          • Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
                                                                                          • Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                          • Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49
                                                                                          APIs
                                                                                            • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                                          • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                                          • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                                          • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                                            • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                          • String ID:
                                                                                          • API String ID: 3527656728-0
                                                                                          • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                          • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                                          • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                          • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCreateFileHandle
                                                                                          • String ID: !nI$.tmp$_iu
                                                                                          • API String ID: 3498533004-584216493
                                                                                          • Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                          • Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
                                                                                          • Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                          • Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                                          APIs
                                                                                            • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                          • ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92
                                                                                            • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                            • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                            • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                          • String ID: .dat$.msg$IMsg$Uninstall
                                                                                          • API String ID: 3312786188-1660910688
                                                                                          • Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                          • Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
                                                                                          • Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                          • Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                          • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                          • API String ID: 828529508-2866557904
                                                                                          • Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                          • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                                          • Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                          • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                                          APIs
                                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
                                                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
                                                                                          • CloseHandle.KERNEL32(?,0045807C), ref: 0045806F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                          • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                          • API String ID: 2573145106-3235461205
                                                                                          • Opcode ID: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                          • Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
                                                                                          • Opcode Fuzzy Hash: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                          • Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                          • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                          • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                          • API String ID: 3478007392-2498399450
                                                                                          • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                          • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                                          • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                          • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                                          APIs
                                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                          • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                          • String ID: AllowSetForegroundWindow$user32.dll
                                                                                          • API String ID: 1782028327-3855017861
                                                                                          • Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                          • Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
                                                                                          • Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                          • Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D
                                                                                          APIs
                                                                                          • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                                          • SaveDC.GDI32(?), ref: 00416C83
                                                                                          • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                                          • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                                          • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                          • String ID:
                                                                                          • API String ID: 3808407030-0
                                                                                          • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                          • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                                          • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                          • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                          • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                                          • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                          • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                                          APIs
                                                                                          • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                                          • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                                          • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                                          • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                                          • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 3850602802-0
                                                                                          • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                          • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                                          • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                          • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                                          APIs
                                                                                          • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                                          • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                                          • GetDC.USER32(00000000), ref: 0041BC12
                                                                                          • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                                          • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                          • String ID:
                                                                                          • API String ID: 1095203571-0
                                                                                          • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                          • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                                          • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                          • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                                          APIs
                                                                                            • Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
                                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B
                                                                                          Strings
                                                                                          • Setting permissions on registry key: %s\%s, xrefs: 0047362A
                                                                                          • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
                                                                                          • Failed to set permissions on registry key (%d)., xrefs: 0047368C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast
                                                                                          • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                          • API String ID: 1452528299-4018462623
                                                                                          • Opcode ID: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                          • Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
                                                                                          • Opcode Fuzzy Hash: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                          • Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$AllocString
                                                                                          • String ID:
                                                                                          • API String ID: 262959230-0
                                                                                          • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                          • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                          • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                          • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                          APIs
                                                                                          • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                                          • RealizePalette.GDI32(00000000), ref: 00414421
                                                                                          • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                                          • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Palette$RealizeSelect$Release
                                                                                          • String ID:
                                                                                          • API String ID: 2261976640-0
                                                                                          • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                          • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                                          • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                          • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                                          APIs
                                                                                            • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                                            • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                                            • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                                            • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                                          • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                                          • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                                          • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                                            • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                                            • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                                            • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                                            • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                                          • String ID: vLB
                                                                                          • API String ID: 1477829881-1797516613
                                                                                          • Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                          • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                                          • Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                          • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                                          APIs
                                                                                          • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                                          • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                                          • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Enum$NameOpenResourceUniversal
                                                                                          • String ID: Z
                                                                                          • API String ID: 3604996873-1505515367
                                                                                          • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                          • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                                          • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                          • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                                          APIs
                                                                                          • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                                          • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                                          • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: DrawText$EmptyRect
                                                                                          • String ID:
                                                                                          • API String ID: 182455014-2867612384
                                                                                          • Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                          • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                                          • Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                          • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                                          APIs
                                                                                          • GetDC.USER32(00000000), ref: 0042EF9E
                                                                                            • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                          • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                                          • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                          • String ID: ...\
                                                                                          • API String ID: 3133960002-983595016
                                                                                          • Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                          • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                                          • Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                          • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                                          APIs
                                                                                          • GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
                                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
                                                                                          • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Attributes$Move
                                                                                          • String ID: isRS-%.3u.tmp
                                                                                          • API String ID: 3839737484-3657609586
                                                                                          • Opcode ID: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                          • Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
                                                                                          • Opcode Fuzzy Hash: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                          • Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59
                                                                                          APIs
                                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                          • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExitMessageProcess
                                                                                          • String ID: Error$Runtime error at 00000000
                                                                                          • API String ID: 1220098344-2970929446
                                                                                          • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                          • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                          • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                          • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                          APIs
                                                                                            • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                          • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
                                                                                          • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Type$AllocByteCharFullLoadMulusermePathRegisterStringWide
                                                                                          • String ID: LoadTypeLib$RegisterTypeLib
                                                                                          • API String ID: 1312246647-2435364021
                                                                                          • Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                          • Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
                                                                                          • Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                          • Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24
                                                                                          APIs
                                                                                          • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
                                                                                          • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B
                                                                                          Strings
                                                                                          • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
                                                                                          • Failed to create DebugClientWnd, xrefs: 004571D4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                          • API String ID: 3850602802-3720027226
                                                                                          • Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                          • Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
                                                                                          • Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                          • Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE
                                                                                          APIs
                                                                                            • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                          • GetFocus.USER32 ref: 00478757
                                                                                          • GetKeyState.USER32(0000007A), ref: 00478769
                                                                                          • WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FocusMessageStateTextWaitWindow
                                                                                          • String ID: Wnd=$%x
                                                                                          • API String ID: 1381870634-2927251529
                                                                                          • Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                          • Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
                                                                                          • Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                          • Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69
                                                                                          APIs
                                                                                          • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
                                                                                          • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Time$File$LocalSystem
                                                                                          • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                          • API String ID: 1748579591-1013271723
                                                                                          • Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                          • Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
                                                                                          • Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                          • Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                                            • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                                            • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$AttributesDeleteErrorLastMove
                                                                                          • String ID: DeleteFile$MoveFile
                                                                                          • API String ID: 3024442154-139070271
                                                                                          • Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                          • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                                          • Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                          • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                                          APIs
                                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpen
                                                                                          • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                          • API String ID: 47109696-2631785700
                                                                                          • Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                          • Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
                                                                                          • Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                          • Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629
                                                                                          APIs
                                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
                                                                                          • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28
                                                                                          Strings
                                                                                          • System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
                                                                                          • CSDVersion, xrefs: 00483BFC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                          • API String ID: 3677997916-1910633163
                                                                                          • Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                          • Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
                                                                                          • Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                          • Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                          • API String ID: 1646373207-4063490227
                                                                                          • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                          • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                                          • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                          • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                          • API String ID: 1646373207-260599015
                                                                                          • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                          • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                                          • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                          • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: NotifyWinEvent$user32.dll
                                                                                          • API String ID: 1646373207-597752486
                                                                                          • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                          • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                                          • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                          • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                          • API String ID: 1646373207-834958232
                                                                                          • Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                          • Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
                                                                                          • Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                          • Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F
                                                                                          APIs
                                                                                            • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                          • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                          • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                          • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                          • API String ID: 2238633743-2683653824
                                                                                          • Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                          • Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
                                                                                          • Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                          • Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE
                                                                                          APIs
                                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
                                                                                          • FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$CloseFileNext
                                                                                          • String ID:
                                                                                          • API String ID: 2066263336-0
                                                                                          • Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                          • Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
                                                                                          • Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                          • Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54
                                                                                          APIs
                                                                                            • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                                            • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                                          • GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CountErrorFileLastMoveTick
                                                                                          • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                          • API String ID: 2406187244-2685451598
                                                                                          • Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                          • Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
                                                                                          • Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                          • Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9
                                                                                          APIs
                                                                                          • GetDesktopWindow.USER32 ref: 00413D46
                                                                                          • GetDesktopWindow.USER32 ref: 00413DFE
                                                                                            • Part of subcall function 00418EC0: 6FBCC6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                                            • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                                          • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CursorDesktopWindow$Show
                                                                                          • String ID:
                                                                                          • API String ID: 2074268717-0
                                                                                          • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                          • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                                          • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                          • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                                          • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                                          • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: LoadString$FileMessageModuleName
                                                                                          • String ID:
                                                                                          • API String ID: 704749118-0
                                                                                          • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                          • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                                          • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                          • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                                          APIs
                                                                                          • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                                            • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                                          • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                                            • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                                          • IsRectEmpty.USER32(?), ref: 0044E953
                                                                                          • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                          • String ID:
                                                                                          • API String ID: 855768636-0
                                                                                          • Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                          • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                                          • Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                          • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                                          APIs
                                                                                          • OffsetRect.USER32(?,?,00000000), ref: 00495988
                                                                                          • OffsetRect.USER32(?,00000000,?), ref: 004959A3
                                                                                          • OffsetRect.USER32(?,?,00000000), ref: 004959BD
                                                                                          • OffsetRect.USER32(?,00000000,?), ref: 004959D8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: OffsetRect
                                                                                          • String ID:
                                                                                          • API String ID: 177026234-0
                                                                                          • Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                          • Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
                                                                                          • Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                          • Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761
                                                                                          APIs
                                                                                          • GetCursorPos.USER32 ref: 00417260
                                                                                          • SetCursor.USER32(00000000), ref: 004172A3
                                                                                          • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                                          • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1959210111-0
                                                                                          • Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                          • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                                          • Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                          • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                                          APIs
                                                                                          • MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
                                                                                          • MulDiv.KERNEL32(?,00000008,?), ref: 00495605
                                                                                          • MulDiv.KERNEL32(?,00000008,?), ref: 00495619
                                                                                          • MulDiv.KERNEL32(?,00000008,?), ref: 00495637
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                          • Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
                                                                                          • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                          • Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68
                                                                                          APIs
                                                                                          • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                                          • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                                          • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                                          • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                          • String ID:
                                                                                          • API String ID: 4025006896-0
                                                                                          • Opcode ID: 7a514111b6068dfbbdb04c48d1a2146d17cf63cab41d43eccfd0167b2dbd8d5c
                                                                                          • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                                          • Opcode Fuzzy Hash: 7a514111b6068dfbbdb04c48d1a2146d17cf63cab41d43eccfd0167b2dbd8d5c
                                                                                          • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                                          APIs
                                                                                          • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                          • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                          • String ID:
                                                                                          • API String ID: 4071923889-0
                                                                                          • Opcode ID: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                          • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                                          • Opcode Fuzzy Hash: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                          • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                                          APIs
                                                                                          • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                                          • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
                                                                                          • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
                                                                                          • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                          • String ID:
                                                                                          • API String ID: 3473537107-0
                                                                                          • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                          • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                                          • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                          • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 004705F1
                                                                                          Strings
                                                                                          • Unsetting NTFS compression on file: %s, xrefs: 004705D7
                                                                                          • Failed to set NTFS compression state (%d)., xrefs: 00470602
                                                                                          • Setting NTFS compression on file: %s, xrefs: 004705BF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast
                                                                                          • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                          • API String ID: 1452528299-3038984924
                                                                                          • Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                          • Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
                                                                                          • Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                          • Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45
                                                                                          Strings
                                                                                          • Setting NTFS compression on directory: %s, xrefs: 0046FE13
                                                                                          • Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
                                                                                          • Failed to set NTFS compression state (%d)., xrefs: 0046FE56
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast
                                                                                          • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                          • API String ID: 1452528299-1392080489
                                                                                          • Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                          • Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
                                                                                          • Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                          • Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B
                                                                                          APIs
                                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
                                                                                          • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                                          • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                          • String ID:
                                                                                          • API String ID: 4283692357-0
                                                                                          • Opcode ID: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                          • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                                          • Opcode Fuzzy Hash: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                          • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$CountSleepTick
                                                                                          • String ID:
                                                                                          • API String ID: 2227064392-0
                                                                                          • Opcode ID: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                          • Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
                                                                                          • Opcode Fuzzy Hash: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                          • Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
                                                                                          • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
                                                                                          • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
                                                                                          • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                          • String ID:
                                                                                          • API String ID: 215268677-0
                                                                                          • Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                          • Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
                                                                                          • Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                          • Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776
                                                                                          APIs
                                                                                          • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                                          • IsWindowVisible.USER32(?), ref: 0042425D
                                                                                          • IsWindowEnabled.USER32(?), ref: 00424267
                                                                                          • SetForegroundWindow.USER32(?), ref: 00424271
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                          • String ID:
                                                                                          • API String ID: 2280970139-0
                                                                                          • Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                          • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                                          • Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                          • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                                          APIs
                                                                                          • GlobalHandle.KERNEL32 ref: 0040626F
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                                                          • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Global$AllocHandleLockUnlock
                                                                                          • String ID:
                                                                                          • API String ID: 2167344118-0
                                                                                          • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                          • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                                          • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                          • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                                          APIs
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479
                                                                                          Strings
                                                                                          • Failed to parse "reg" constant, xrefs: 0047A480
                                                                                          • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Close
                                                                                          • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                          • API String ID: 3535843008-1938159461
                                                                                          • Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                          • Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
                                                                                          • Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                          • Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99
                                                                                          APIs
                                                                                          • GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
                                                                                          • SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7
                                                                                          Strings
                                                                                          • Will not restart Windows automatically., xrefs: 004836F6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ActiveForeground
                                                                                          • String ID: Will not restart Windows automatically.
                                                                                          • API String ID: 307657957-4169339592
                                                                                          • Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                          • Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
                                                                                          • Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                          • Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D
                                                                                          APIs
                                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
                                                                                          • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4
                                                                                          Strings
                                                                                          • Extracting temporary file: , xrefs: 004763EC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileTime$Local
                                                                                          • String ID: Extracting temporary file:
                                                                                          • API String ID: 791338737-4171118009
                                                                                          • Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                          • Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
                                                                                          • Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                          • Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58
                                                                                          Strings
                                                                                          • Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
                                                                                          • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                          • API String ID: 0-1974262853
                                                                                          • Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                          • Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
                                                                                          • Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                          • Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49
                                                                                          APIs
                                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                          • RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67
                                                                                          Strings
                                                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
                                                                                          • %s\%s_is1, xrefs: 00478F10
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpen
                                                                                          • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                          • API String ID: 47109696-1598650737
                                                                                          • Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                          • Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
                                                                                          • Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                          • Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58
                                                                                          APIs
                                                                                          • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                                          • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExecuteMessageSendShell
                                                                                          • String ID: open
                                                                                          • API String ID: 812272486-2758837156
                                                                                          • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                          • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                                          • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                          • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                                          APIs
                                                                                          • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                                          • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                                            • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                          • String ID: <
                                                                                          • API String ID: 893404051-4251816714
                                                                                          • Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                          • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                                          • Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                          • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                                          APIs
                                                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                          • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                            • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0219C170,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                            • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0219C170,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                            • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0219C170,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                            • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0219C170,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                          • String ID: )
                                                                                          • API String ID: 2227675388-1084416617
                                                                                          • Opcode ID: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                          • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                          • Opcode Fuzzy Hash: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                          • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                          APIs
                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window
                                                                                          • String ID: /INITPROCWND=$%x $@
                                                                                          • API String ID: 2353593579-4169826103
                                                                                          • Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                          • Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
                                                                                          • Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                          • Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658
                                                                                          APIs
                                                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                          • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$AllocByteCharFreeMultiWide
                                                                                          • String ID: NIL Interface Exception$Unknown Method
                                                                                          • API String ID: 3952431833-1023667238
                                                                                          • Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                          • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                                          • Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                          • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
                                                                                          • CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425
                                                                                            • Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCreateErrorHandleLastProcess
                                                                                          • String ID: 0nI
                                                                                          • API String ID: 3798668922-794067871
                                                                                          • Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                          • Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
                                                                                          • Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                          • Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D
                                                                                          APIs
                                                                                          • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                                          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Value$EnumQuery
                                                                                          • String ID: Inno Setup: No Icons
                                                                                          • API String ID: 1576479698-2016326496
                                                                                          • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                          • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                                          • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                          • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
                                                                                          • GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesErrorFileLast
                                                                                          • String ID: T$H
                                                                                          • API String ID: 1799206407-488339322
                                                                                          • Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                          • Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
                                                                                          • Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                          • Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558
                                                                                          APIs
                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                                                          • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: DeleteErrorFileLast
                                                                                          • String ID: T$H
                                                                                          • API String ID: 2018770650-488339322
                                                                                          • Opcode ID: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                          • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                                                          • Opcode Fuzzy Hash: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                          • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                                                          APIs
                                                                                          • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                                                          • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: DirectoryErrorLastRemove
                                                                                          • String ID: T$H
                                                                                          • API String ID: 377330604-488339322
                                                                                          • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                          • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                                                          • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                          • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                                                          APIs
                                                                                            • Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(74C60000,00481A2F), ref: 0047D0E2
                                                                                            • Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6
                                                                                            • Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3
                                                                                          • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
                                                                                          • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F
                                                                                          Strings
                                                                                          • Detected restart. Removing temporary directory., xrefs: 00498013
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                          • String ID: Detected restart. Removing temporary directory.
                                                                                          • API String ID: 1717587489-3199836293
                                                                                          • Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                          • Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
                                                                                          • Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                          • Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.2610464446.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000001.00000002.2610329600.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610677739.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610704129.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610764602.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000001.00000002.2610935426.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLastSleep
                                                                                          • String ID:
                                                                                          • API String ID: 1458359878-0
                                                                                          • Opcode ID: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                          • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                                          • Opcode Fuzzy Hash: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                          • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

                                                                                          Execution Graph

                                                                                          Execution Coverage:1.1%
                                                                                          Dynamic/Decrypted Code Coverage:71.4%
                                                                                          Signature Coverage:10.7%
                                                                                          Total number of Nodes:507
                                                                                          Total number of Limit Nodes:30
                                                                                          execution_graph 60771 402a20 GetVersion 60796 403b64 HeapCreate 60771->60796 60773 402a7f 60774 402a84 60773->60774 60775 402a8c 60773->60775 60874 402b3b 8 API calls 60774->60874 60808 403844 60775->60808 60779 402a94 GetCommandLineA 60822 403712 60779->60822 60783 402aae 60854 40340c 60783->60854 60785 402ab3 60786 402ab8 GetStartupInfoA 60785->60786 60867 4033b4 60786->60867 60788 402aca GetModuleHandleA 60871 401f06 60788->60871 60797 403b84 60796->60797 60798 403bba 60796->60798 60875 403a1c 19 API calls 60797->60875 60798->60773 60800 403b89 60801 403ba0 60800->60801 60802 403b93 60800->60802 60804 403bbd 60801->60804 60877 40478c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 60801->60877 60876 403f3b HeapAlloc 60802->60876 60804->60773 60806 403b9d 60806->60804 60807 403bae HeapDestroy 60806->60807 60807->60798 60878 402b5f 60808->60878 60811 403863 GetStartupInfoA 60814 403974 60811->60814 60820 4038af 60811->60820 60815 40399b GetStdHandle 60814->60815 60816 4039db SetHandleCount 60814->60816 60815->60814 60817 4039a9 GetFileType 60815->60817 60816->60779 60817->60814 60818 403920 60818->60814 60821 403942 GetFileType 60818->60821 60819 402b5f 12 API calls 60819->60820 60820->60814 60820->60818 60820->60819 60821->60818 60823 403760 60822->60823 60824 40372d GetEnvironmentStringsW 60822->60824 60825 403735 60823->60825 60826 403751 60823->60826 60824->60825 60827 403741 GetEnvironmentStrings 60824->60827 60829 40376d GetEnvironmentStringsW 60825->60829 60832 403779 60825->60832 60828 402aa4 60826->60828 60830 4037f3 GetEnvironmentStrings 60826->60830 60831 4037ff 60826->60831 60827->60826 60827->60828 60845 4034c5 60828->60845 60829->60828 60829->60832 60830->60828 60830->60831 60836 402b5f 12 API calls 60831->60836 60832->60832 60833 40378e WideCharToMultiByte 60832->60833 60834 4037ad 60833->60834 60835 4037df FreeEnvironmentStringsW 60833->60835 60837 402b5f 12 API calls 60834->60837 60835->60828 60843 40381a 60836->60843 60838 4037b3 60837->60838 60838->60835 60839 4037bc WideCharToMultiByte 60838->60839 60841 4037d6 60839->60841 60842 4037cd 60839->60842 60840 403830 FreeEnvironmentStringsA 60840->60828 60841->60835 60887 402c11 60842->60887 60843->60840 60846 4034d7 60845->60846 60847 4034dc GetModuleFileNameA 60845->60847 60900 405d24 19 API calls 60846->60900 60849 4034ff 60847->60849 60850 402b5f 12 API calls 60849->60850 60852 403520 60850->60852 60851 403530 60851->60783 60852->60851 60901 402b16 7 API calls 60852->60901 60855 403419 60854->60855 60857 40341e 60854->60857 60902 405d24 19 API calls 60855->60902 60858 402b5f 12 API calls 60857->60858 60859 40344b 60858->60859 60865 40345f 60859->60865 60903 402b16 7 API calls 60859->60903 60860 4034a2 60862 402c11 7 API calls 60860->60862 60863 4034ae 60862->60863 60863->60785 60864 402b5f 12 API calls 60864->60865 60865->60860 60865->60864 60904 402b16 7 API calls 60865->60904 60868 4033bd 60867->60868 60870 4033c2 60867->60870 60905 405d24 19 API calls 60868->60905 60870->60788 60872 4020ab GetModuleHandleA 60871->60872 60875->60800 60876->60806 60877->60806 60882 402b71 60878->60882 60881 402b16 7 API calls 60881->60811 60883 402b6e 60882->60883 60885 402b78 60882->60885 60883->60811 60883->60881 60885->60883 60886 402b9d 12 API calls 60885->60886 60886->60885 60888 402c1d 60887->60888 60896 402c39 60887->60896 60891 402c27 60888->60891 60892 402c3d 60888->60892 60889 402c68 60890 402c69 HeapFree 60889->60890 60890->60896 60891->60890 60893 402c33 60891->60893 60892->60889 60895 402c57 60892->60895 60898 403fae VirtualFree VirtualFree HeapFree 60893->60898 60899 404a3f VirtualFree HeapFree VirtualFree 60895->60899 60896->60841 60898->60896 60899->60896 60900->60847 60901->60851 60902->60857 60903->60865 60904->60865 60905->60870 60568 401842 VirtualAlloc 60569 40de72 60568->60569 60570 401742 60571 40d57b RegQueryValueExA 60570->60571 60572 401c85 60573 40d823 RegCreateKeyExA 60572->60573 60906 2bb5e5e RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 60944 2bb42c7 60906->60944 60908 2bb5ecb GetTickCount 60909 2bb59fa 59 API calls 60908->60909 60910 2bb5ee8 GetVersionExA 60909->60910 60911 2bb5f29 _memset 60910->60911 60912 2bc1fbc _malloc 59 API calls 60911->60912 60913 2bb5f36 60912->60913 60914 2bc1fbc _malloc 59 API calls 60913->60914 60915 2bb5f46 60914->60915 60916 2bc1fbc _malloc 59 API calls 60915->60916 60917 2bb5f51 60916->60917 60918 2bc1fbc _malloc 59 API calls 60917->60918 60919 2bb5f5c 60918->60919 60920 2bc1fbc _malloc 59 API calls 60919->60920 60921 2bb5f67 60920->60921 60922 2bc1fbc _malloc 59 API calls 60921->60922 60923 2bb5f72 60922->60923 60924 2bc1fbc _malloc 59 API calls 60923->60924 60925 2bb5f7d 60924->60925 60926 2bc1fbc _malloc 59 API calls 60925->60926 60927 2bb5f89 6 API calls 60926->60927 60928 2bb5fd6 _memset 60927->60928 60929 2bb5fef RtlEnterCriticalSection RtlLeaveCriticalSection 60928->60929 60930 2bc1fbc _malloc 59 API calls 60929->60930 60931 2bb602b 60930->60931 60932 2bc1fbc _malloc 59 API calls 60931->60932 60933 2bb6039 60932->60933 60934 2bc1fbc _malloc 59 API calls 60933->60934 60935 2bb6040 60934->60935 60936 2bc1fbc _malloc 59 API calls 60935->60936 60937 2bb6061 QueryPerformanceCounter Sleep 60936->60937 60938 2bc1fbc _malloc 59 API calls 60937->60938 60939 2bb6087 60938->60939 60940 2bc1fbc _malloc 59 API calls 60939->60940 60943 2bb6097 _memset 60940->60943 60941 2bb6104 Sleep 60942 2bb610a RtlEnterCriticalSection RtlLeaveCriticalSection 60941->60942 60942->60943 60943->60941 60943->60942 60575 402188 LoadLibraryExA 60577 401f20 60575->60577 60576 40dab3 60577->60575 60577->60576 60945 401769 60946 40176e 60945->60946 60947 40dd78 CopyFileA 60946->60947 60948 40dee9 60949 40de86 60948->60949 60950 40df4c StartServiceCtrlDispatcherA 60948->60950 60949->60950 60951 40e028 lstrcmpiW 60950->60951 60578 2beca75 CloseHandle 60579 2bf4ca4 60578->60579 60952 40232e Sleep 60954 40209b 60952->60954 60953 401f74 60956 40d720 60953->60956 60957 401301 7 API calls 60953->60957 60954->60953 60955 40d55c GetStartupInfoA 60954->60955 60955->60953 60956->60956 60958 40dc0d 60957->60958 60580 4016cf 60584 401897 60580->60584 60585 401d22 60584->60585 60586 40d55c GetStartupInfoA 60585->60586 60588 401f74 60585->60588 60586->60588 60587 40d720 60588->60587 60591 401301 FindResourceA 60588->60591 60590 40dc0d 60592 401367 SizeofResource 60591->60592 60597 401360 60591->60597 60593 401386 LoadResource LockResource GlobalAlloc 60592->60593 60592->60597 60594 4013cc 60593->60594 60595 40141f GetTickCount 60594->60595 60598 40142a GlobalAlloc 60595->60598 60597->60590 60598->60597 60959 2bec80e 60960 2bec812 60959->60960 60963 2bbe9ab LoadLibraryA 60960->60963 60961 2bec817 60961->60961 60964 2bbea8e 60963->60964 60965 2bbe9d4 GetProcAddress 60963->60965 60964->60961 60966 2bbea87 FreeLibrary 60965->60966 60969 2bbe9e8 60965->60969 60966->60964 60967 2bbe9fa GetAdaptersInfo 60967->60969 60968 2bbea82 60968->60966 60969->60967 60969->60968 60971 2bc27c5 60 API calls 3 library calls 60969->60971 60971->60969 60599 2bec5af SHGetSpecialFolderPathA 60600 2bf07ce 60599->60600 60601 2bb6428 60604 2bb644a _memset 60601->60604 60602 2bb6104 Sleep 60603 2bb610a RtlEnterCriticalSection RtlLeaveCriticalSection 60602->60603 60633 2bb60f0 60603->60633 60605 2bb649e RtlEnterCriticalSection RtlLeaveCriticalSection 60604->60605 60604->60633 60689 2bc134c 60605->60689 60607 2bb64c5 60608 2bb6509 60607->60608 60609 2bc134c 66 API calls 60607->60609 60610 2bc134c 66 API calls 60608->60610 60608->60633 60611 2bb64d6 60609->60611 60612 2bb6527 60610->60612 60611->60608 60616 2bc134c 66 API calls 60611->60616 60613 2bb67d2 60612->60613 60615 2bb6539 60612->60615 60614 2bc134c 66 API calls 60613->60614 60617 2bb67dd 60614->60617 60703 2bc1fbc 60615->60703 60619 2bb64e7 60616->60619 60620 2bb6826 60617->60620 60622 2bb67e7 _memset 60617->60622 60619->60608 60624 2bc134c 66 API calls 60619->60624 60623 2bc134c 66 API calls 60620->60623 60627 2bb67f7 RtlEnterCriticalSection RtlLeaveCriticalSection 60622->60627 60625 2bb6831 60623->60625 60626 2bb64f8 60624->60626 60628 2bb684a 60625->60628 60629 2bb6837 60625->60629 60626->60608 60631 2bc134c 66 API calls 60626->60631 60627->60633 60632 2bc134c 66 API calls 60628->60632 60699 2bb5c11 60629->60699 60631->60608 60634 2bb6855 60632->60634 60633->60602 60633->60603 60634->60633 60731 2bc1428 84 API calls 3 library calls 60634->60731 60636 2bb68a0 60732 2bb1ba7 RtlEnterCriticalSection RtlLeaveCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection __EH_prolog 60636->60732 60638 2bb6924 60639 2bb695c RtlEnterCriticalSection 60638->60639 60641 2bb6989 RtlLeaveCriticalSection 60639->60641 60642 2bb697f 60639->60642 60640 2bb6578 _memset 60643 2bc134c 66 API calls 60640->60643 60649 2bb65f8 60640->60649 60733 2bb3c67 72 API calls Mailbox 60641->60733 60642->60641 60643->60649 60644 2bc1fbc _malloc 59 API calls 60651 2bb662f _memset 60644->60651 60646 2bb69b5 60734 2bb3d7e 64 API calls 60646->60734 60648 2bb69c7 60735 2bb733f 89 API calls 60648->60735 60649->60644 60653 2bb6694 60651->60653 60720 2bc25f6 65 API calls 7 library calls 60651->60720 60652 2bb69e9 60654 2bb6b58 60652->60654 60736 2bb9729 73 API calls Mailbox 60652->60736 60723 2bc1f84 59 API calls 2 library calls 60653->60723 60742 2bb8007 88 API calls __EH_prolog 60654->60742 60659 2bb669a 60659->60633 60724 2bc27c5 60 API calls 3 library calls 60659->60724 60660 2bb6b20 60740 2bb73ee 71 API calls Mailbox 60660->60740 60663 2bb66aa 60667 2bb66c5 60663->60667 60725 2bb873b 6 API calls __EH_prolog 60663->60725 60665 2bb6b38 60741 2bb33b2 86 API calls 60665->60741 60666 2bb6a2f 60666->60660 60737 2bb9729 73 API calls Mailbox 60666->60737 60726 2bb9853 60 API calls 2 library calls 60667->60726 60668 2bb6660 60668->60653 60721 2bc1860 59 API calls _vscan_fn 60668->60721 60722 2bc25f6 65 API calls 7 library calls 60668->60722 60674 2bb66db 60727 2bb5119 103 API calls 3 library calls 60674->60727 60675 2bb6a8b 60675->60660 60738 2bb9729 73 API calls Mailbox 60675->60738 60677 2bb6adc 60677->60660 60739 2bbc11b 73 API calls Mailbox 60677->60739 60680 2bb6717 60728 2bb9c13 88 API calls 3 library calls 60680->60728 60682 2bb675c 60683 2bb676f shared_ptr 60682->60683 60684 2bb6774 Sleep 60682->60684 60683->60684 60729 2bc0900 GetProcessHeap HeapFree 60684->60729 60686 2bb6790 60687 2bb67aa shared_ptr 60686->60687 60730 2bb4100 GetProcessHeap HeapFree 60686->60730 60687->60633 60690 2bc1358 60689->60690 60691 2bc137b 60689->60691 60690->60691 60693 2bc135e 60690->60693 60745 2bc1393 66 API calls 4 library calls 60691->60745 60743 2bc4acb 59 API calls __getptd_noexit 60693->60743 60695 2bc138e 60695->60607 60696 2bc1363 60744 2bc3b65 9 API calls __cftoa_l 60696->60744 60698 2bc136e 60698->60607 60701 2bb5c17 60699->60701 60700 2bc1fbc _malloc 59 API calls 60700->60701 60701->60700 60702 2bb5c96 60701->60702 60704 2bc2037 60703->60704 60708 2bc1fc8 60703->60708 60752 2bc6e73 RtlDecodePointer 60704->60752 60706 2bc203d 60753 2bc4acb 59 API calls __getptd_noexit 60706->60753 60707 2bc1fd3 60707->60708 60746 2bc7291 59 API calls __NMSG_WRITE 60707->60746 60747 2bc72ee 59 API calls 7 library calls 60707->60747 60748 2bc6eda GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 60707->60748 60708->60707 60711 2bc1ffb RtlAllocateHeap 60708->60711 60714 2bc2023 60708->60714 60718 2bc2021 60708->60718 60749 2bc6e73 RtlDecodePointer 60708->60749 60711->60708 60712 2bb6540 RtlEnterCriticalSection RtlLeaveCriticalSection 60711->60712 60712->60640 60750 2bc4acb 59 API calls __getptd_noexit 60714->60750 60751 2bc4acb 59 API calls __getptd_noexit 60718->60751 60720->60668 60721->60668 60722->60668 60723->60659 60724->60663 60725->60667 60726->60674 60727->60680 60728->60682 60729->60686 60730->60687 60731->60636 60732->60638 60733->60646 60734->60648 60735->60652 60736->60666 60737->60675 60738->60677 60739->60660 60740->60665 60741->60654 60742->60633 60743->60696 60744->60698 60745->60695 60746->60707 60747->60707 60749->60708 60750->60718 60751->60712 60752->60706 60753->60712 60754 401b93 RegSetValueExA RegCloseKey 60755 40d143 60754->60755 60756 2c24616 60757 2c37646 InternetOpenA 60756->60757 60759 401e96 CreateDirectoryA 60760 40d036 60759->60760 60972 2bb104d 60977 2bc23b4 60972->60977 60983 2bc22b8 60977->60983 60979 2bb1057 60980 2bb1aa9 InterlockedIncrement 60979->60980 60981 2bb105c 60980->60981 60982 2bb1ac5 WSAStartup InterlockedExchange 60980->60982 60982->60981 60984 2bc22c4 ___lock_fhandle 60983->60984 60991 2bc7150 60984->60991 60990 2bc22eb ___lock_fhandle 60990->60979 61008 2bc74ab 60991->61008 60993 2bc22cd 60994 2bc22fc RtlDecodePointer RtlDecodePointer 60993->60994 60995 2bc2329 60994->60995 60996 2bc22d9 60994->60996 60995->60996 61017 2bc7d1d 60 API calls __cftoa_l 60995->61017 61005 2bc22f6 60996->61005 60998 2bc238c RtlEncodePointer RtlEncodePointer 60998->60996 60999 2bc233b 60999->60998 61000 2bc2360 60999->61000 61018 2bc76b9 62 API calls 2 library calls 60999->61018 61000->60996 61003 2bc237a RtlEncodePointer 61000->61003 61019 2bc76b9 62 API calls 2 library calls 61000->61019 61003->60998 61004 2bc2374 61004->60996 61004->61003 61020 2bc7159 61005->61020 61009 2bc74bc 61008->61009 61010 2bc74cf RtlEnterCriticalSection 61008->61010 61015 2bc7533 59 API calls 8 library calls 61009->61015 61010->60993 61012 2bc74c2 61012->61010 61016 2bc6ffd 59 API calls 3 library calls 61012->61016 61015->61012 61017->60999 61018->61000 61019->61004 61023 2bc7615 RtlLeaveCriticalSection 61020->61023 61022 2bc22fb 61022->60990 61023->61022 60761 40d9d8 RegOpenKeyExA 61024 401878 RegCloseKey 61025 40dcf0 61024->61025 61025->61025 60762 401cdb CopyFileA 61026 40207b 61030 2bc2988 61026->61030 61031 2bc2996 61030->61031 61032 2bc2991 61030->61032 61036 2bc29ab 61031->61036 61044 2bc918c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 61032->61044 61035 402080 Sleep 61037 2bc29b7 ___lock_fhandle 61036->61037 61038 2bc2a05 ___DllMainCRTStartup 61037->61038 61039 2bc2a62 ___lock_fhandle 61037->61039 61045 2bc2816 61037->61045 61038->61039 61041 2bc2a3f 61038->61041 61043 2bc2816 __CRT_INIT@12 138 API calls 61038->61043 61039->61035 61041->61039 61042 2bc2816 __CRT_INIT@12 138 API calls 61041->61042 61042->61039 61043->61041 61044->61031 61046 2bc2822 ___lock_fhandle 61045->61046 61047 2bc282a 61046->61047 61048 2bc28a4 61046->61048 61093 2bc6e56 GetProcessHeap 61047->61093 61050 2bc290d 61048->61050 61051 2bc28a8 61048->61051 61053 2bc2970 61050->61053 61054 2bc2912 61050->61054 61056 2bc28c9 61051->61056 61086 2bc2833 ___lock_fhandle __CRT_INIT@12 61051->61086 61182 2bc7019 59 API calls _doexit 61051->61182 61052 2bc282f 61052->61086 61094 2bc4a04 61052->61094 61053->61086 61197 2bc4894 59 API calls 2 library calls 61053->61197 61187 2bc7d8b TlsGetValue 61054->61187 61183 2bc6ef0 61 API calls _free 61056->61183 61060 2bc291d 61060->61086 61188 2bc762a 61060->61188 61062 2bc28ce 61065 2bc28df __CRT_INIT@12 61062->61065 61184 2bc8e2a 60 API calls _free 61062->61184 61063 2bc283f __RTC_Initialize 61070 2bc284f GetCommandLineA 61063->61070 61063->61086 61186 2bc28f8 62 API calls __mtterm 61065->61186 61069 2bc28da 61185 2bc4a7a 62 API calls 2 library calls 61069->61185 61115 2bc9228 GetEnvironmentStringsW 61070->61115 61074 2bc2946 61076 2bc294c 61074->61076 61077 2bc2964 61074->61077 61195 2bc4951 59 API calls 4 library calls 61076->61195 61196 2bc1f84 59 API calls 2 library calls 61077->61196 61081 2bc2869 61083 2bc286d 61081->61083 61147 2bc8e7c 61081->61147 61082 2bc2954 GetCurrentThreadId 61082->61086 61180 2bc4a7a 62 API calls 2 library calls 61083->61180 61086->61038 61088 2bc288d 61088->61086 61181 2bc8e2a 60 API calls _free 61088->61181 61093->61052 61198 2bc70c0 36 API calls 2 library calls 61094->61198 61096 2bc4a09 61199 2bc75dc InitializeCriticalSectionAndSpinCount ___lock_fhandle 61096->61199 61098 2bc4a0e 61099 2bc4a12 61098->61099 61201 2bc7d4e TlsAlloc 61098->61201 61200 2bc4a7a 62 API calls 2 library calls 61099->61200 61102 2bc4a17 61102->61063 61103 2bc4a24 61103->61099 61104 2bc4a2f 61103->61104 61105 2bc762a __calloc_crt 59 API calls 61104->61105 61106 2bc4a3c 61105->61106 61107 2bc4a71 61106->61107 61202 2bc7daa TlsSetValue 61106->61202 61204 2bc4a7a 62 API calls 2 library calls 61107->61204 61110 2bc4a50 61110->61107 61112 2bc4a56 61110->61112 61111 2bc4a76 61111->61063 61203 2bc4951 59 API calls 4 library calls 61112->61203 61114 2bc4a5e GetCurrentThreadId 61114->61063 61116 2bc923b WideCharToMultiByte 61115->61116 61117 2bc285f 61115->61117 61119 2bc926e 61116->61119 61120 2bc92a5 FreeEnvironmentStringsW 61116->61120 61128 2bc8b76 61117->61128 61205 2bc7672 59 API calls 2 library calls 61119->61205 61120->61117 61122 2bc9274 61122->61120 61123 2bc927b WideCharToMultiByte 61122->61123 61124 2bc929a FreeEnvironmentStringsW 61123->61124 61125 2bc9291 61123->61125 61124->61117 61206 2bc1f84 59 API calls 2 library calls 61125->61206 61127 2bc9297 61127->61124 61129 2bc8b82 ___lock_fhandle 61128->61129 61130 2bc74ab __lock 59 API calls 61129->61130 61131 2bc8b89 61130->61131 61132 2bc762a __calloc_crt 59 API calls 61131->61132 61134 2bc8b9a 61132->61134 61133 2bc8ba5 ___lock_fhandle @_EH4_CallFilterFunc@8 61133->61081 61134->61133 61135 2bc8c05 GetStartupInfoW 61134->61135 61140 2bc8c1a 61135->61140 61142 2bc8d49 61135->61142 61136 2bc8e11 61209 2bc8e21 RtlLeaveCriticalSection _doexit 61136->61209 61138 2bc762a __calloc_crt 59 API calls 61138->61140 61139 2bc8d96 GetStdHandle 61139->61142 61140->61138 61140->61142 61144 2bc8c68 61140->61144 61141 2bc8da9 GetFileType 61141->61142 61142->61136 61142->61139 61142->61141 61208 2bc7dcc InitializeCriticalSectionAndSpinCount 61142->61208 61143 2bc8c9c GetFileType 61143->61144 61144->61142 61144->61143 61207 2bc7dcc InitializeCriticalSectionAndSpinCount 61144->61207 61148 2bc8e8f GetModuleFileNameA 61147->61148 61149 2bc8e8a 61147->61149 61151 2bc8ebc 61148->61151 61216 2bc3efa 71 API calls __setmbcp 61149->61216 61210 2bc8f2f 61151->61210 61153 2bc2879 61153->61088 61158 2bc90ab 61153->61158 61156 2bc8ef5 61156->61153 61157 2bc8f2f _parse_cmdline 59 API calls 61156->61157 61157->61153 61159 2bc90b4 61158->61159 61162 2bc90b9 _strlen 61158->61162 61220 2bc3efa 71 API calls __setmbcp 61159->61220 61161 2bc762a __calloc_crt 59 API calls 61170 2bc90ef _strlen 61161->61170 61162->61161 61165 2bc2882 61162->61165 61163 2bc9141 61222 2bc1f84 59 API calls 2 library calls 61163->61222 61165->61088 61174 2bc7028 61165->61174 61166 2bc762a __calloc_crt 59 API calls 61166->61170 61167 2bc9168 61223 2bc1f84 59 API calls 2 library calls 61167->61223 61170->61163 61170->61165 61170->61166 61170->61167 61171 2bc917f 61170->61171 61221 2bc592c 59 API calls __cftoa_l 61170->61221 61224 2bc3b75 8 API calls 2 library calls 61171->61224 61173 2bc918b 61175 2bc7034 __IsNonwritableInCurrentImage 61174->61175 61225 2bcab8f 61175->61225 61177 2bc7052 __initterm_e 61178 2bc23b4 __cinit 68 API calls 61177->61178 61179 2bc7071 __cinit __IsNonwritableInCurrentImage 61177->61179 61178->61179 61179->61088 61180->61086 61181->61083 61182->61056 61183->61062 61184->61069 61185->61065 61186->61086 61187->61060 61191 2bc7631 61188->61191 61190 2bc292e 61190->61086 61194 2bc7daa TlsSetValue 61190->61194 61191->61190 61193 2bc764f 61191->61193 61228 2bce9b8 61191->61228 61193->61190 61193->61191 61236 2bc80c5 Sleep 61193->61236 61194->61074 61195->61082 61196->61086 61197->61086 61198->61096 61199->61098 61200->61102 61201->61103 61202->61110 61203->61114 61204->61111 61205->61122 61206->61127 61207->61144 61208->61142 61209->61133 61212 2bc8f51 61210->61212 61214 2bc8fb5 61212->61214 61218 2bcef96 59 API calls x_ismbbtype_l 61212->61218 61213 2bc8ed2 61213->61153 61217 2bc7672 59 API calls 2 library calls 61213->61217 61214->61213 61219 2bcef96 59 API calls x_ismbbtype_l 61214->61219 61216->61148 61217->61156 61218->61212 61219->61214 61220->61162 61221->61170 61222->61165 61223->61165 61224->61173 61226 2bcab92 RtlEncodePointer 61225->61226 61226->61226 61227 2bcabac 61226->61227 61227->61177 61229 2bce9de 61228->61229 61230 2bce9c3 61228->61230 61232 2bce9ee RtlAllocateHeap 61229->61232 61234 2bce9d4 61229->61234 61238 2bc6e73 RtlDecodePointer 61229->61238 61230->61229 61231 2bce9cf 61230->61231 61237 2bc4acb 59 API calls __getptd_noexit 61231->61237 61232->61229 61232->61234 61234->61191 61236->61193 61237->61234 61238->61229 60763 2bbe8a7 CreateFileA 60764 2bbe9a3 60763->60764 60767 2bbe8d8 60763->60767 60765 2bbe8f0 DeviceIoControl 60765->60767 60766 2bbe999 CloseHandle 60766->60764 60767->60765 60767->60766 60768 2bbe965 GetLastError 60767->60768 60770 2bc27c5 60 API calls 3 library calls 60767->60770 60768->60766 60768->60767 60770->60767

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • RtlInitializeCriticalSection.NTDLL(02BE4FD0), ref: 02BB5E92
                                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02BB5EA9
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BB5EB2
                                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02BB5EC1
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BB5EC4
                                                                                          • GetTickCount.KERNEL32 ref: 02BB5ED8
                                                                                            • Part of subcall function 02BB59FA: _malloc.LIBCMT ref: 02BB5A08
                                                                                          • GetVersionExA.KERNEL32(02BE4E20), ref: 02BB5F05
                                                                                          • _memset.LIBCMT ref: 02BB5F24
                                                                                          • _malloc.LIBCMT ref: 02BB5F31
                                                                                            • Part of subcall function 02BC1FBC: __FF_MSGBANNER.LIBCMT ref: 02BC1FD3
                                                                                            • Part of subcall function 02BC1FBC: __NMSG_WRITE.LIBCMT ref: 02BC1FDA
                                                                                            • Part of subcall function 02BC1FBC: RtlAllocateHeap.NTDLL(00730000,00000000,00000001), ref: 02BC1FFF
                                                                                          • _malloc.LIBCMT ref: 02BB5F41
                                                                                          • _malloc.LIBCMT ref: 02BB5F4C
                                                                                          • _malloc.LIBCMT ref: 02BB5F57
                                                                                          • _malloc.LIBCMT ref: 02BB5F62
                                                                                          • _malloc.LIBCMT ref: 02BB5F6D
                                                                                          • _malloc.LIBCMT ref: 02BB5F78
                                                                                          • _malloc.LIBCMT ref: 02BB5F84
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02BB5F9B
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02BB5FA4
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02BB5FB0
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02BB5FB3
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02BB5FBE
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02BB5FC1
                                                                                          • _memset.LIBCMT ref: 02BB5FD1
                                                                                          • _memset.LIBCMT ref: 02BB5FDD
                                                                                          • _memset.LIBCMT ref: 02BB5FEA
                                                                                          • RtlEnterCriticalSection.NTDLL(02BE4FD0), ref: 02BB5FF8
                                                                                          • RtlLeaveCriticalSection.NTDLL(02BE4FD0), ref: 02BB6005
                                                                                          • _malloc.LIBCMT ref: 02BB6026
                                                                                          • _malloc.LIBCMT ref: 02BB6034
                                                                                          • _malloc.LIBCMT ref: 02BB603B
                                                                                          • _malloc.LIBCMT ref: 02BB605C
                                                                                          • QueryPerformanceCounter.KERNEL32(00000200), ref: 02BB6068
                                                                                          • Sleep.KERNELBASE(00000000), ref: 02BB6076
                                                                                          • _malloc.LIBCMT ref: 02BB6082
                                                                                          • _malloc.LIBCMT ref: 02BB6092
                                                                                          • _memset.LIBCMT ref: 02BB60A7
                                                                                          • _memset.LIBCMT ref: 02BB60B7
                                                                                          • Sleep.KERNELBASE(0000EA60), ref: 02BB6104
                                                                                          • RtlEnterCriticalSection.NTDLL(02BE4FD0), ref: 02BB610F
                                                                                          • RtlLeaveCriticalSection.NTDLL(02BE4FD0), ref: 02BB6120
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _malloc$Heap$_memset$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                          • String ID: Fz[$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                                          • API String ID: 1856495841-994335508
                                                                                          • Opcode ID: fb7c31895fcb517498170422557670d42baaae707b7c859ca387fb942a1bec6f
                                                                                          • Instruction ID: b5df90f9e40b8e7862034a96fa93910b6e41534b7921456ffb1f9f1ea5033558
                                                                                          • Opcode Fuzzy Hash: fb7c31895fcb517498170422557670d42baaae707b7c859ca387fb942a1bec6f
                                                                                          • Instruction Fuzzy Hash: 1F71E2B1D493409FD720AF34A819B9B7BE8AF55700F544DADF588A7342EBB458008FD6

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 339 2bbe9ab-2bbe9ce LoadLibraryA 340 2bbea8e-2bbea95 339->340 341 2bbe9d4-2bbe9e2 GetProcAddress 339->341 342 2bbe9e8-2bbe9f8 341->342 343 2bbea87-2bbea88 FreeLibrary 341->343 344 2bbe9fa-2bbea06 GetAdaptersInfo 342->344 343->340 345 2bbea08 344->345 346 2bbea3e-2bbea46 344->346 349 2bbea0a-2bbea11 345->349 347 2bbea48-2bbea4e call 2bc26df 346->347 348 2bbea4f-2bbea54 346->348 347->348 351 2bbea82-2bbea86 348->351 352 2bbea56-2bbea59 348->352 353 2bbea1b-2bbea23 349->353 354 2bbea13-2bbea17 349->354 351->343 352->351 357 2bbea5b-2bbea60 352->357 355 2bbea26-2bbea2b 353->355 354->349 358 2bbea19 354->358 355->355 359 2bbea2d-2bbea3a call 2bbe6fa 355->359 360 2bbea6d-2bbea78 call 2bc27c5 357->360 361 2bbea62-2bbea6a 357->361 358->346 359->346 360->351 366 2bbea7a-2bbea7d 360->366 361->360 366->344
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 02BBE9C1
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02BBE9DA
                                                                                          • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02BBE9FF
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 02BBEA88
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                          • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                          • API String ID: 514930453-3114217049
                                                                                          • Opcode ID: 37f6a1b3adb2532b2eb9c44e30e972776d8f9c413645ce2d573306cbae7b2084
                                                                                          • Instruction ID: 5c2e1f4da42743b30615602d1cb3d888e4c49a23a3093cec331934f0afb4c2db
                                                                                          • Opcode Fuzzy Hash: 37f6a1b3adb2532b2eb9c44e30e972776d8f9c413645ce2d573306cbae7b2084
                                                                                          • Instruction Fuzzy Hash: FB21D575A002099BDB11DBA888946FEBBB8FF06304F9440E9E555E7211EBB0D945CBA0

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 367 2bbe8a7-2bbe8d2 CreateFileA 368 2bbe8d8-2bbe8ed 367->368 369 2bbe9a3-2bbe9aa 367->369 370 2bbe8f0-2bbe912 DeviceIoControl 368->370 371 2bbe94b-2bbe953 370->371 372 2bbe914-2bbe91c 370->372 375 2bbe95c-2bbe95e 371->375 376 2bbe955-2bbe95b call 2bc26df 371->376 373 2bbe91e-2bbe923 372->373 374 2bbe925-2bbe92a 372->374 373->371 374->371 377 2bbe92c-2bbe934 374->377 379 2bbe999-2bbe9a2 CloseHandle 375->379 380 2bbe960-2bbe963 375->380 376->375 381 2bbe937-2bbe93c 377->381 379->369 383 2bbe97f-2bbe98c call 2bc27c5 380->383 384 2bbe965-2bbe96e GetLastError 380->384 381->381 386 2bbe93e-2bbe94a call 2bbe6fa 381->386 383->379 391 2bbe98e-2bbe994 383->391 384->379 387 2bbe970-2bbe973 384->387 386->371 387->383 390 2bbe975-2bbe97c 387->390 390->383 391->370
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02BBE8C6
                                                                                          • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02BBE904
                                                                                          • GetLastError.KERNEL32 ref: 02BBE965
                                                                                          • CloseHandle.KERNELBASE(?), ref: 02BBE99C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                          • String ID: \\.\PhysicalDrive0
                                                                                          • API String ID: 4026078076-1180397377
                                                                                          • Opcode ID: 0340f4b5329611844b8f74c5b2cce4db251c44f9a305b9d1923dd4ee0c320de6
                                                                                          • Instruction ID: 8636ee0ebd6c25ff49833764b2fe488dda3adcda0cc868a9a37b619ae98fa5a8
                                                                                          • Opcode Fuzzy Hash: 0340f4b5329611844b8f74c5b2cce4db251c44f9a305b9d1923dd4ee0c320de6
                                                                                          • Instruction Fuzzy Hash: 2631E571D00215EBCB25CF94C894BFEBBB8EF09350FA001AEE645A3250D7B09A04CBA0

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 421 401951-40d878 GetLocalTime 425 40de86-40df52 StartServiceCtrlDispatcherA 421->425 426 40d87e-40d88c 421->426 427 40e028-40e02e lstrcmpiW 425->427 426->427
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(0040BE00), ref: 00401B4D
                                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040DF4C
                                                                                          • lstrcmpiW.KERNELBASE(?,/chk), ref: 0040E028
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: CtrlDispatcherLocalServiceStartTimelstrcmpi
                                                                                          • String ID: /chk
                                                                                          • API String ID: 4108452588-3837807730
                                                                                          • Opcode ID: b98aab331838fe6632ee09d3ee6537478d9e654e437189eacf188a04f6302d0c
                                                                                          • Instruction ID: c0b6fb2c802bab406561895994aa9e9237411ab6f3462ae67dbec63e80f3bd48
                                                                                          • Opcode Fuzzy Hash: b98aab331838fe6632ee09d3ee6537478d9e654e437189eacf188a04f6302d0c
                                                                                          • Instruction Fuzzy Hash: 4121D070904658CBDB048B609E697E63BF4AB06340F0081BAC886F72E2D738890ADB19

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • RtlInitializeCriticalSection.NTDLL(02BE4FD0), ref: 02BB5E92
                                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02BB5EA9
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BB5EB2
                                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02BB5EC1
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BB5EC4
                                                                                          • GetTickCount.KERNEL32 ref: 02BB5ED8
                                                                                          • GetVersionExA.KERNEL32(02BE4E20), ref: 02BB5F05
                                                                                          • _memset.LIBCMT ref: 02BB5F24
                                                                                          • _malloc.LIBCMT ref: 02BB5F31
                                                                                          • _malloc.LIBCMT ref: 02BB5F41
                                                                                          • _malloc.LIBCMT ref: 02BB5F4C
                                                                                          • _malloc.LIBCMT ref: 02BB5F57
                                                                                          • _malloc.LIBCMT ref: 02BB5F62
                                                                                          • _malloc.LIBCMT ref: 02BB5F6D
                                                                                          • _malloc.LIBCMT ref: 02BB5F78
                                                                                          • _malloc.LIBCMT ref: 02BB5F84
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02BB5F9B
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02BB5FA4
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02BB5FB0
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02BB5FB3
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02BB5FBE
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02BB5FC1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _malloc$Heap$AllocateProcess$AddressHandleModuleProc$CountCriticalInitializeSectionTickVersion_memset
                                                                                          • String ID: Fz[$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                                          • API String ID: 3007647348-994335508
                                                                                          • Opcode ID: afd972c29c3386dc259945ac2d633a0949ede02663b18c2a0ebe57060a8be675
                                                                                          • Instruction ID: d10cbb91eddf8d03c46896eac5b88cafcf645699a0b580b8c52646595da070df
                                                                                          • Opcode Fuzzy Hash: afd972c29c3386dc259945ac2d633a0949ede02663b18c2a0ebe57060a8be675
                                                                                          • Instruction Fuzzy Hash: D6A13871D493409FD721AF78A854B9BBFE4AF49300F5409AEF588EB242DBB44805CBD2

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 127 2bb6428-2bb6448 128 2bb644a-2bb6450 127->128 129 2bb6464-2bb646e 127->129 130 2bb6452-2bb6454 128->130 131 2bb6456-2bb6463 call 2bb534d 128->131 132 2bb60f0-2bb60f2 129->132 133 2bb6474-2bb6498 call 2bc3760 call 2bb439c 129->133 130->129 131->129 134 2bb60fb-2bb60fd 132->134 135 2bb60f4-2bb60f9 132->135 133->132 149 2bb649e-2bb64c9 RtlEnterCriticalSection RtlLeaveCriticalSection call 2bc134c 133->149 139 2bb610a-2bb6139 RtlEnterCriticalSection RtlLeaveCriticalSection 134->139 140 2bb60ff 134->140 138 2bb6104 Sleep 135->138 138->139 143 2bb613d-2bb6161 139->143 140->138 147 2bb6163-2bb6174 143->147 148 2bb60f5-2bb60f9 143->148 147->143 148->138 152 2bb64cb-2bb64da call 2bc134c 149->152 153 2bb6513-2bb652b call 2bc134c 149->153 152->153 160 2bb64dc-2bb64eb call 2bc134c 152->160 158 2bb67d2-2bb67e1 call 2bc134c 153->158 159 2bb6531-2bb6533 153->159 167 2bb67e3-2bb67e5 158->167 168 2bb6826-2bb6835 call 2bc134c 158->168 159->158 162 2bb6539-2bb65e4 call 2bc1fbc RtlEnterCriticalSection RtlLeaveCriticalSection call 2bc3760 * 5 call 2bb439c * 2 159->162 160->153 170 2bb64ed-2bb64fc call 2bc134c 160->170 212 2bb6621 162->212 213 2bb65e6-2bb65e8 162->213 167->168 171 2bb67e7-2bb6821 call 2bc3760 RtlEnterCriticalSection RtlLeaveCriticalSection 167->171 181 2bb684a-2bb6859 call 2bc134c 168->181 182 2bb6837-2bb6840 call 2bb5c11 call 2bb5d1f 168->182 170->153 183 2bb64fe-2bb650d call 2bc134c 170->183 171->132 181->132 192 2bb685f-2bb6861 181->192 197 2bb6845 182->197 183->132 183->153 192->132 195 2bb6867-2bb6880 call 2bb439c 192->195 195->132 202 2bb6886-2bb6955 call 2bc1428 call 2bb1ba7 195->202 197->132 214 2bb695c-2bb697d RtlEnterCriticalSection 202->214 215 2bb6957 call 2bb143f 202->215 217 2bb6625-2bb6653 call 2bc1fbc call 2bc3760 call 2bb439c 212->217 213->212 216 2bb65ea-2bb65fc call 2bc134c 213->216 219 2bb6989-2bb69f0 RtlLeaveCriticalSection call 2bb3c67 call 2bb3d7e call 2bb733f 214->219 220 2bb697f-2bb6986 214->220 215->214 216->212 228 2bb65fe-2bb661f call 2bb439c 216->228 238 2bb6655-2bb6664 call 2bc25f6 217->238 239 2bb6694-2bb669d call 2bc1f84 217->239 240 2bb6b58-2bb6b6c call 2bb8007 219->240 241 2bb69f6-2bb6a38 call 2bb9729 219->241 220->219 228->217 238->239 250 2bb6666 238->250 253 2bb66a3-2bb66bb call 2bc27c5 239->253 254 2bb67c0-2bb67cd 239->254 240->132 251 2bb6a3e-2bb6a45 241->251 252 2bb6b22-2bb6b53 call 2bb73ee call 2bb33b2 241->252 256 2bb666b-2bb667d call 2bc1860 250->256 258 2bb6a48-2bb6a4d 251->258 252->240 263 2bb66bd-2bb66c5 call 2bb873b 253->263 264 2bb66c7 253->264 254->132 270 2bb667f 256->270 271 2bb6682-2bb6692 call 2bc25f6 256->271 258->258 262 2bb6a4f-2bb6a94 call 2bb9729 258->262 262->252 276 2bb6a9a-2bb6aa0 262->276 269 2bb66c9-2bb676d call 2bb9853 call 2bb3863 call 2bb5119 call 2bb3863 call 2bb9af9 call 2bb9c13 263->269 264->269 296 2bb676f call 2bb380b 269->296 297 2bb6774-2bb679f Sleep call 2bc0900 269->297 270->271 271->239 271->256 279 2bb6aa3-2bb6aa8 276->279 279->279 281 2bb6aaa-2bb6ae5 call 2bb9729 279->281 281->252 286 2bb6ae7-2bb6b21 call 2bbc11b 281->286 286->252 296->297 301 2bb67ab-2bb67b9 297->301 302 2bb67a1-2bb67aa call 2bb4100 297->302 301->254 304 2bb67bb call 2bb380b 301->304 302->301 304->254
                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(0000EA60), ref: 02BB6104
                                                                                          • RtlEnterCriticalSection.NTDLL(02BE4FD0), ref: 02BB610F
                                                                                          • RtlLeaveCriticalSection.NTDLL(02BE4FD0), ref: 02BB6120
                                                                                            • Part of subcall function 02BC27C5: _malloc.LIBCMT ref: 02BC27DD
                                                                                          • _memset.LIBCMT ref: 02BB6480
                                                                                          • RtlEnterCriticalSection.NTDLL(02BE4FD0), ref: 02BB64A3
                                                                                          • RtlLeaveCriticalSection.NTDLL(02BE4FD0), ref: 02BB64B4
                                                                                          • _malloc.LIBCMT ref: 02BB653B
                                                                                          • RtlEnterCriticalSection.NTDLL(02BE4FD0), ref: 02BB654D
                                                                                          • RtlLeaveCriticalSection.NTDLL(02BE4FD0), ref: 02BB6559
                                                                                          • _memset.LIBCMT ref: 02BB6573
                                                                                          • _memset.LIBCMT ref: 02BB6582
                                                                                          • _memset.LIBCMT ref: 02BB6592
                                                                                          • _memset.LIBCMT ref: 02BB65A1
                                                                                          • _memset.LIBCMT ref: 02BB65B0
                                                                                          • _malloc.LIBCMT ref: 02BB662A
                                                                                          • _memset.LIBCMT ref: 02BB663B
                                                                                          • _strtok.LIBCMT ref: 02BB665B
                                                                                          • _swscanf.LIBCMT ref: 02BB6672
                                                                                          • _strtok.LIBCMT ref: 02BB6689
                                                                                          • _free.LIBCMT ref: 02BB6695
                                                                                          • Sleep.KERNEL32(000007D0), ref: 02BB6779
                                                                                          • _memset.LIBCMT ref: 02BB67F2
                                                                                          • RtlEnterCriticalSection.NTDLL(02BE4FD0), ref: 02BB67FF
                                                                                          • RtlLeaveCriticalSection.NTDLL(02BE4FD0), ref: 02BB6811
                                                                                            • Part of subcall function 02BB873B: __EH_prolog.LIBCMT ref: 02BB8740
                                                                                            • Part of subcall function 02BB873B: RtlEnterCriticalSection.NTDLL(00000020), ref: 02BB87BB
                                                                                            • Part of subcall function 02BB873B: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02BB87D9
                                                                                          • _sprintf.LIBCMT ref: 02BB689B
                                                                                          • RtlEnterCriticalSection.NTDLL(00000020), ref: 02BB6960
                                                                                          • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02BB6994
                                                                                            • Part of subcall function 02BB5C11: _malloc.LIBCMT ref: 02BB5C1F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$_memset$EnterLeave$_malloc$Sleep_strtok$H_prolog_free_sprintf_swscanf
                                                                                          • String ID: $%d;$<htm$H&t$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
                                                                                          • API String ID: 3337033272-1643160198
                                                                                          • Opcode ID: 582f5f352002c0e70ff360ed1afcb01c3f2133a8d510d264da91a04c7f8468a4
                                                                                          • Instruction ID: ec50cbba29909ce5b7ffc6c7e8feaef74bed1ccdc66857ec3671e86acf964f8f
                                                                                          • Opcode Fuzzy Hash: 582f5f352002c0e70ff360ed1afcb01c3f2133a8d510d264da91a04c7f8468a4
                                                                                          • Instruction Fuzzy Hash: FC1224321083819FD7369B24D850BFFBBE9EFC5718F14489DE58A97291EBB09844CB52

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 307 401301-40135e FindResourceA 308 401360-401362 307->308 309 401367-40137d SizeofResource 307->309 310 401538-40153c 308->310 311 401386-4013fe LoadResource LockResource GlobalAlloc call 402490 * 2 309->311 312 40137f-401381 309->312 317 401407-40140b 311->317 312->310 318 40140d-40141d 317->318 319 40141f-401428 GetTickCount 317->319 318->317 321 401491-401499 319->321 322 40142a-40142e 319->322 325 4014a2-4014a8 321->325 323 401430-401438 322->323 324 40148f 322->324 326 401441-401447 323->326 327 4014f0-401525 GlobalAlloc call 401000 324->327 325->327 328 4014aa-4014e8 325->328 329 401449-401485 326->329 330 40148d 326->330 334 40152a-401535 327->334 331 4014ea 328->331 332 4014ee 328->332 335 401487 329->335 336 40148b 329->336 330->322 331->332 332->325 334->310 335->336 336->326
                                                                                          APIs
                                                                                          • FindResourceA.KERNEL32(?,0000000A), ref: 00401351
                                                                                          • SizeofResource.KERNEL32(00000000), ref: 00401370
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$FindSizeof
                                                                                          • String ID:
                                                                                          • API String ID: 3019604839-3916222277
                                                                                          • Opcode ID: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                          • Instruction ID: 779852d327d389dbbb2f1b261a2bb7141e3a4eae573781fe7d13a424a4f3f89b
                                                                                          • Opcode Fuzzy Hash: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                          • Instruction Fuzzy Hash: F1811075D04258DFDF01CFE8D985AEEBBB0BF09305F1400AAE581B7262C3385A84DB69

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetVersion.KERNEL32 ref: 00402A46
                                                                                            • Part of subcall function 00403B64: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                            • Part of subcall function 00403B64: HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                          • GetCommandLineA.KERNEL32 ref: 00402A94
                                                                                          • GetStartupInfoA.KERNEL32(?), ref: 00402ABF
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402AE2
                                                                                            • Part of subcall function 00402B3B: ExitProcess.KERNEL32 ref: 00402B58
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                          • String ID: @5s
                                                                                          • API String ID: 2057626494-3840325346
                                                                                          • Opcode ID: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                                          • Instruction ID: 5f87248e4510ca7a7a053da507506fe2897125482441b09741c869e2758f94b2
                                                                                          • Opcode Fuzzy Hash: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                                          • Instruction Fuzzy Hash: BA214CB19006159ADB04AFA6DE49A6E7FA8EB04715F10413FF905BB2D1DB384900CA6C

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 429 2bb615e-2bb6161 430 2bb6163-2bb6174 429->430 431 2bb60f5-2bb6139 Sleep RtlEnterCriticalSection RtlLeaveCriticalSection 429->431 433 2bb613d-2bb6149 430->433 431->433 433->429
                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(0000EA60), ref: 02BB6104
                                                                                          • RtlEnterCriticalSection.NTDLL(02BE4FD0), ref: 02BB610F
                                                                                          • RtlLeaveCriticalSection.NTDLL(02BE4FD0), ref: 02BB6120
                                                                                          Strings
                                                                                          • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02BB6129
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$EnterLeaveSleep
                                                                                          • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          • API String ID: 1566154052-1923541051
                                                                                          • Opcode ID: 7b0428dad4808cecd1284cc37216daff831b9c3d93a712cd117ed93d7b98c952
                                                                                          • Instruction ID: 42bbac1f0f3dd8af44799084b3b5f40cac35f3420b3cd58f9f7846746384ff66
                                                                                          • Opcode Fuzzy Hash: 7b0428dad4808cecd1284cc37216daff831b9c3d93a712cd117ed93d7b98c952
                                                                                          • Instruction Fuzzy Hash: 38F0C22298D3C09FD7138760A8686E53F74AF5B214B4A09C6F4869B053D1951C45C7A2

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 435 2bb1aa9-2bb1ac3 InterlockedIncrement 436 2bb1add-2bb1ae0 435->436 437 2bb1ac5-2bb1ad7 WSAStartup InterlockedExchange 435->437 437->436
                                                                                          APIs
                                                                                          • InterlockedIncrement.KERNEL32(02BE529C), ref: 02BB1ABA
                                                                                          • WSAStartup.WS2_32(00000002,00000000), ref: 02BB1ACB
                                                                                          • InterlockedExchange.KERNEL32(02BE52A0,00000000), ref: 02BB1AD7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Interlocked$ExchangeIncrementStartup
                                                                                          • String ID:
                                                                                          • API String ID: 1856147945-0
                                                                                          • Opcode ID: 0fd36e94a3dd45aa1201c33d887469525a23216b3dd204b475678071dca860ac
                                                                                          • Instruction ID: bdb0e9f2101ee06ad24aac546feed237e4252ee686bff38315a34080c43acc62
                                                                                          • Opcode Fuzzy Hash: 0fd36e94a3dd45aa1201c33d887469525a23216b3dd204b475678071dca860ac
                                                                                          • Instruction Fuzzy Hash: EBD05B31D852085BE53076945D1EAF8775CD706715FC00691FD66C51C0F751652087A6

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 438 2c24616-2c3c3d3 InternetOpenA
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BE8000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE8000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2be8000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: InternetOpen
                                                                                          • String ID: U[6
                                                                                          • API String ID: 2038078732-2089642770
                                                                                          • Opcode ID: baf1ff8c980d10f8b00d1038710330fc4c46da49cd430d8337d31e47aa43f34b
                                                                                          • Instruction ID: 9cc8516901fad7ce377bdd1b444a9108527467871f9987daf6876504b73c33c6
                                                                                          • Opcode Fuzzy Hash: baf1ff8c980d10f8b00d1038710330fc4c46da49cd430d8337d31e47aa43f34b
                                                                                          • Instruction Fuzzy Hash: 13515EB260C600AFE7156F19ECC5BBEFBE9EF98320F06092DE6D583700D63558548A97

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 442 401897-40d052 445 40d556-40d557 442->445 446 40d058-40d05e 442->446 452 40d55c-40d569 GetStartupInfoA 445->452 447 40d013-40d01c 446->447 448 40d022-40d026 447->448 449 40209b-4020a0 447->449 451 40d71a 448->451 449->447 449->452 453 40d720 451->453 454 401f74-401f79 451->454 452->451 455 40db51 452->455 457 40d724 453->457 456 40dc03-40dc08 call 401301 454->456 455->456 459 40dc0d-40dc15 456->459 457->457
                                                                                          APIs
                                                                                          • GetStartupInfoA.KERNEL32(0040BC70), ref: 0040D55C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoStartup
                                                                                          • String ID: 3h
                                                                                          • API String ID: 2571198056-227859408
                                                                                          • Opcode ID: 024e0850f827c435b8a5028a910d45a29312e1de5a17c3597f685f170630041f
                                                                                          • Instruction ID: 03e41e0e2fbe8f3f1350c05a2512de981e85b09ededd3a12d9f5b7d8ff28fd69
                                                                                          • Opcode Fuzzy Hash: 024e0850f827c435b8a5028a910d45a29312e1de5a17c3597f685f170630041f
                                                                                          • Instruction Fuzzy Hash: 604117B1908246CBD7149B68DE313E677B0E702321F14423E9553B31E2D77C444AEB5E

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 460 401c85-40dc49 RegCreateKeyExA
                                                                                          APIs
                                                                                          • RegCreateKeyExA.KERNELBASE(80000002,Software\MCodec56,00000000), ref: 0040DC43
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID: Software\MCodec56
                                                                                          • API String ID: 2289755597-4241566752
                                                                                          • Opcode ID: f87b7628d3f1b6c01b43e6fa8910d4b250f6bb28f3b3560bcda25592cc6c599b
                                                                                          • Instruction ID: 93077888e0bbcd1fcb5d665c645348ae1621a215fb68b31d801dbfa4ad4509b8
                                                                                          • Opcode Fuzzy Hash: f87b7628d3f1b6c01b43e6fa8910d4b250f6bb28f3b3560bcda25592cc6c599b
                                                                                          • Instruction Fuzzy Hash: 2CD0A931A9C20AB8F2002A924D0EB721514B708B94F60083B2452B30C6C2B8844BD25B

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 464 401878-401884 RegCloseKey 465 40dcf0-40dcf5 call 402940 464->465 468 40dcfa 465->468 468->468
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: Close
                                                                                          • String ID: MediaCodecPack
                                                                                          • API String ID: 3535843008-199385074
                                                                                          • Opcode ID: d1c8d0ac3f500a16e2a1ba87aa97279d6ff8767d919a51834699a3c776ea22fd
                                                                                          • Instruction ID: f19db8fe7a91f9339945a850f06442911a31ce16223db01261e704d0ab5d2cd6
                                                                                          • Opcode Fuzzy Hash: d1c8d0ac3f500a16e2a1ba87aa97279d6ff8767d919a51834699a3c776ea22fd
                                                                                          • Instruction Fuzzy Hash: B4B01221A4C510D7E5282BD05B09D6E34015544720732003B7683391E34FFD040B73EF

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 469 401b93-401ba5 RegSetValueExA RegCloseKey 470 40d143-40d1b8 469->470
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseValue
                                                                                          • String ID:
                                                                                          • API String ID: 3132538880-0
                                                                                          • Opcode ID: 8d1ffd4e1db30a3de41eb7b4220ffc1c9475fd541d97c53cfaeaf051eb009d7e
                                                                                          • Instruction ID: 4c22f98cd7c9e98f077693477baae5e06b4a06b3414cbbd33dac7c18dcee98c1
                                                                                          • Opcode Fuzzy Hash: 8d1ffd4e1db30a3de41eb7b4220ffc1c9475fd541d97c53cfaeaf051eb009d7e
                                                                                          • Instruction Fuzzy Hash: 34018C7541A5918FC709CB24AFB06A93FB5D64A740705107DD1D6AB273D6384C05EB1D
                                                                                          APIs
                                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040DF4C
                                                                                          • lstrcmpiW.KERNELBASE(?,/chk), ref: 0040E028
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: CtrlDispatcherServiceStartlstrcmpi
                                                                                          • String ID: /chk
                                                                                          • API String ID: 369133424-3837807730
                                                                                          • Opcode ID: bf94812ca6c332d091ad4b42a885db31f7de2e204c73ca7d6ec59c21a7b81bd2
                                                                                          • Instruction ID: 9673a0ded5c8b983d3e052be02671165733424ab24c3791a3204680fb7a92e49
                                                                                          • Opcode Fuzzy Hash: bf94812ca6c332d091ad4b42a885db31f7de2e204c73ca7d6ec59c21a7b81bd2
                                                                                          • Instruction Fuzzy Hash: 1DF02434A08356DFDB058BA089146967BB4FB02310B0580FFC486EA197C7388806DF49
                                                                                          APIs
                                                                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                            • Part of subcall function 00403A1C: GetVersionExA.KERNEL32 ref: 00403A3B
                                                                                          • HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                            • Part of subcall function 00403F3B: HeapAlloc.KERNEL32(00000000,00000140,00403B9D,000003F8), ref: 00403F48
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocCreateDestroyVersion
                                                                                          • String ID:
                                                                                          • API String ID: 2507506473-0
                                                                                          • Opcode ID: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                          • Instruction ID: 13181fdbc77bd6b5762d4953551df96dffaf81345f3f43d3ea23e6f05a00c699
                                                                                          • Opcode Fuzzy Hash: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                          • Instruction Fuzzy Hash: 58F065706547029ADB101F319E4572A3EA89B4075BF10447FFD00F51D1EFBC9784951D
                                                                                          APIs
                                                                                          • SHGetSpecialFolderPathA.SHELL32 ref: 02BEC5AF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BE8000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE8000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2be8000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: FolderPathSpecial
                                                                                          • String ID:
                                                                                          • API String ID: 994120019-0
                                                                                          • Opcode ID: 082cab693f4d3d3ac2b62ea854bbbdeab840555d1d8ac3c055dfae13803e30e9
                                                                                          • Instruction ID: 1ade750f14d50410d35c64d49c735c9c786b7e13335a5f88a8a5c2aca599f686
                                                                                          • Opcode Fuzzy Hash: 082cab693f4d3d3ac2b62ea854bbbdeab840555d1d8ac3c055dfae13803e30e9
                                                                                          • Instruction Fuzzy Hash: 4C116DF250C504EFE705AE09D881BBEBBE9EB94720F16482DE2C9C7310E63188518B52
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 81c2b33cd779f3770bbade04ffdf75582417cc2f6e97285ea47be6d284f00c90
                                                                                          • Instruction ID: 93b9b1974ed41d96b605e6f2543649dec7ed103e9ca7e63d5c00ca61ae8303bf
                                                                                          • Opcode Fuzzy Hash: 81c2b33cd779f3770bbade04ffdf75582417cc2f6e97285ea47be6d284f00c90
                                                                                          • Instruction Fuzzy Hash: C701EF71E10219CFDB08DF98D8A1AEDB3B1FB09300F55856AE452B72A0C738A848CB15
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: CopyFile
                                                                                          • String ID:
                                                                                          • API String ID: 1304948518-0
                                                                                          • Opcode ID: 77cee4b6d02c89c83c6c8276e285ea2bf1f63efd6c688e4d25e383538686599e
                                                                                          • Instruction ID: ad16e0f938f8472db79b29402d126077d4e772f8cfe65a76779df96d21c81dee
                                                                                          • Opcode Fuzzy Hash: 77cee4b6d02c89c83c6c8276e285ea2bf1f63efd6c688e4d25e383538686599e
                                                                                          • Instruction Fuzzy Hash: 3AD0A7B548800EBDD708C6419D89EE9239CD708719F2000BB7249F30D0DE3849595A3D
                                                                                          APIs
                                                                                          • RegQueryValueExA.KERNELBASE(?), ref: 0040D57B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: QueryValue
                                                                                          • String ID:
                                                                                          • API String ID: 3660427363-0
                                                                                          • Opcode ID: edb662e5df4075614205ad4c2836f805a67019b38716de6e5ac022504569e8d8
                                                                                          • Instruction ID: 26b46432db68fc4713545f90ca74021cbfbc64d50c18903c1266e08affe4bc0b
                                                                                          • Opcode Fuzzy Hash: edb662e5df4075614205ad4c2836f805a67019b38716de6e5ac022504569e8d8
                                                                                          • Instruction Fuzzy Hash: 1BB092B0D48506EBCB014FA09D04A6DBA71BF44350722483A88A2B1160D7744105AA5A
                                                                                          APIs
                                                                                          • CreateDirectoryA.KERNELBASE ref: 00401E96
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateDirectory
                                                                                          • String ID:
                                                                                          • API String ID: 4241100979-0
                                                                                          • Opcode ID: 3de2052f2a00c726d227e4c4dd3299adb09deae8c3c4f630768cff51d50549a6
                                                                                          • Instruction ID: ac672658b327ef22b57dd8096845a6f62d9f9dd2f6b21eb8d4679538076b0d83
                                                                                          • Opcode Fuzzy Hash: 3de2052f2a00c726d227e4c4dd3299adb09deae8c3c4f630768cff51d50549a6
                                                                                          • Instruction Fuzzy Hash: 61A02220888330FBC0300AB00F0C8283008080838033200333A8B300C088FE080B2B8F
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExitProcess
                                                                                          • String ID:
                                                                                          • API String ID: 621844428-0
                                                                                          • Opcode ID: 6c15b7e0cb941e7360e5b59663fee49a32cbf71ae8a53d536831a9755e68f830
                                                                                          • Instruction ID: caaeb3edd0182b104b1465d8a7214e334b93cb3688170f1009fa56cc25eb67fe
                                                                                          • Opcode Fuzzy Hash: 6c15b7e0cb941e7360e5b59663fee49a32cbf71ae8a53d536831a9755e68f830
                                                                                          • Instruction Fuzzy Hash: D3A00221954A01AAE1407BB2EB0AB383910A725706F15417B7296790E18E79014A595F
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: CopyFile
                                                                                          • String ID:
                                                                                          • API String ID: 1304948518-0
                                                                                          • Opcode ID: 697de28deffca7a8713946bf57d344b2cffb3497efeb3799f2ec22fb237049b3
                                                                                          • Instruction ID: 13d0081663d5c949863e01e780637134611a7a95a1637e4bbe86339b43f74999
                                                                                          • Opcode Fuzzy Hash: 697de28deffca7a8713946bf57d344b2cffb3497efeb3799f2ec22fb237049b3
                                                                                          • Instruction Fuzzy Hash: E1900220604101AFD2000B225F4861536A45505B4171A483D5447E0064DA3980496519
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: Open
                                                                                          • String ID:
                                                                                          • API String ID: 71445658-0
                                                                                          • Opcode ID: 2697fc5bc034a1ffb4056f3d6960c569a4768683e8bbd70c4bae01e5f682b149
                                                                                          • Instruction ID: 578dd1ffac1f8e1011a1a5834bce6420265c4f34c8c97087b967ba0ca0ba6dfb
                                                                                          • Opcode Fuzzy Hash: 2697fc5bc034a1ffb4056f3d6960c569a4768683e8bbd70c4bae01e5f682b149
                                                                                          • Instruction Fuzzy Hash: 20900220604101DAE2040A725A082192654660464571149395447E0150DA3580095D29
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BE8000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE8000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2be8000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: 4beb590eb5de4f737b5df696fb4790cf0caa639c01b1e88ceedd6f48993fd9e8
                                                                                          • Instruction ID: a6cd854d71a10d35a10c86521b0fe4a6810e7e730d2bee0763965d853a1707c6
                                                                                          • Opcode Fuzzy Hash: 4beb590eb5de4f737b5df696fb4790cf0caa639c01b1e88ceedd6f48993fd9e8
                                                                                          • Instruction Fuzzy Hash: C7519EF2608600AFE7096E19DCD577EF7E9EF88724F16492EE6C583340EA3554408A97
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoSleepStartup
                                                                                          • String ID:
                                                                                          • API String ID: 3346105675-0
                                                                                          • Opcode ID: 820f2d36c53b95829267cfd4d46e36cd9cb5e965e78971ddadb887229b3ef415
                                                                                          • Instruction ID: 9a29c4e619f7a4d8ed8324ebca556abd9c53da00443e6c512cbb7d8c9fa3b2b6
                                                                                          • Opcode Fuzzy Hash: 820f2d36c53b95829267cfd4d46e36cd9cb5e965e78971ddadb887229b3ef415
                                                                                          • Instruction Fuzzy Hash: 8FE08670C06245C6D724CEDC97243AAB3306748306F680137D107762D9C23D8D4EDA1F
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000), ref: 0040184D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 91fd1d15897780a22772685a9e9e11523d47d63b978241df2ce472f9aad5acef
                                                                                          • Instruction ID: 3b235d091506e9fd49973954eb1e1228e6c7b9fea26647d7565d0fb406e94443
                                                                                          • Opcode Fuzzy Hash: 91fd1d15897780a22772685a9e9e11523d47d63b978241df2ce472f9aad5acef
                                                                                          • Instruction Fuzzy Hash: 16D01271849504DFDF084FF4CA48ADDBF30BB10701F110466E906BA1A1CB7CD947AB05
                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040D1CF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: Sleep
                                                                                          • String ID:
                                                                                          • API String ID: 3472027048-0
                                                                                          • Opcode ID: 8eeb56a042a3dc7536f4384a1371a3b7fda40716cbfa0a1f94c25bc104d3c431
                                                                                          • Instruction ID: fcb18d1d78468dbf9f57a7137ce4b137392d6aea0d2686bddcdc2e81c808b1ca
                                                                                          • Opcode Fuzzy Hash: 8eeb56a042a3dc7536f4384a1371a3b7fda40716cbfa0a1f94c25bc104d3c431
                                                                                          • Instruction Fuzzy Hash: 20B09234955B409BE28267A08AC96BC7760AB54300F601522AA12A91C08E785A47A50B
                                                                                          APIs
                                                                                          • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                                                            • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                          • sqlite3_step.SQLITE3 ref: 6096755A
                                                                                          • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                                                          • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                                                          • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                                                          • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                                                          • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                                                          • sqlite3_step.SQLITE3 ref: 609679C3
                                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                                                          • sqlite3_step.SQLITE3 ref: 60967AB4
                                                                                          • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                                                          • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                                                          • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                                                          • sqlite3_step.SQLITE3 ref: 60967B94
                                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                                                          • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                                                          • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                                                          • sqlite3_step.SQLITE3 ref: 60967C7D
                                                                                          • memcmp.MSVCRT ref: 60967D4C
                                                                                          • sqlite3_free.SQLITE3 ref: 60967D69
                                                                                          • sqlite3_free.SQLITE3 ref: 60967D74
                                                                                          • sqlite3_free.SQLITE3 ref: 60967FF7
                                                                                          • sqlite3_free.SQLITE3 ref: 60968002
                                                                                            • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                            • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                            • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                            • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                            • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                                          • sqlite3_reset.SQLITE3 ref: 60967C93
                                                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                          • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                                                          • sqlite3_reset.SQLITE3 ref: 60968035
                                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                                                          • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                                                          • sqlite3_step.SQLITE3 ref: 609680D1
                                                                                          • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                                                          • sqlite3_reset.SQLITE3 ref: 60968104
                                                                                          • sqlite3_step.SQLITE3 ref: 60968139
                                                                                          • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                                                          • sqlite3_reset.SQLITE3 ref: 6096818A
                                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                                                            • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                                                          • sqlite3_reset.SQLITE3 ref: 609679E9
                                                                                            • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                                                          • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                                                            • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                                                          • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                                                            • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                                                          • sqlite3_reset.SQLITE3 ref: 609675B7
                                                                                          • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                                                          • sqlite3_step.SQLITE3 ref: 6096764C
                                                                                          • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                                                          • sqlite3_reset.SQLITE3 ref: 6096768B
                                                                                          • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                                                            • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                          • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                                                          • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                                                          • sqlite3_step.SQLITE3 ref: 609690E6
                                                                                          • sqlite3_reset.SQLITE3 ref: 609690F1
                                                                                          • sqlite3_free.SQLITE3 ref: 60969102
                                                                                          • sqlite3_free.SQLITE3 ref: 6096910D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                                                          • String ID: $d
                                                                                          • API String ID: 2451604321-2084297493
                                                                                          • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                          • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                                                          • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                          • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                                                          APIs
                                                                                          • sqlite3_finalize.SQLITE3 ref: 60966178
                                                                                          • sqlite3_free.SQLITE3 ref: 60966183
                                                                                          • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                                                          • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                                                          • sqlite3_value_text.SQLITE3 ref: 60966236
                                                                                          • sqlite3_value_int.SQLITE3 ref: 60966274
                                                                                          • memcmp.MSVCRT ref: 6096639E
                                                                                            • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                                                            • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                                                          • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                                                          • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                                                            • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                                            • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                                                          • String ID: ASC$DESC$x
                                                                                          • API String ID: 4082667235-1162196452
                                                                                          • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                          • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                                                          • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                          • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                                                          APIs
                                                                                          • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                                                          • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                                                          • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                                                            • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                            • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                            • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                            • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                          • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                                                          • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                                                          • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                                                          • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                                                          • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                                                          • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                                                          • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                                                          • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                                                            • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                                                          • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                                                          • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                          • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                                                          • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                                                          • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                                                          • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                                                          • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                                                          • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                                                          • String ID:
                                                                                          • API String ID: 961572588-0
                                                                                          • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                          • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                                                          • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                          • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                                                          • String ID: 2$foreign key$indexed
                                                                                          • API String ID: 4126863092-702264400
                                                                                          • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                          • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                                                          • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                          • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_stricmp
                                                                                          • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                                                          • API String ID: 912767213-1308749736
                                                                                          • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                          • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                                                          • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                          • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                                                          APIs
                                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                                                          • sqlite3_step.SQLITE3 ref: 6094B496
                                                                                          • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                                                          • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                                                          • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                                                            • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                                                          • String ID:
                                                                                          • API String ID: 4082478743-0
                                                                                          • Opcode ID: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                                          • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                                                          • Opcode Fuzzy Hash: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                                          • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                                                          APIs
                                                                                            • Part of subcall function 02BB8ADD: __EH_prolog.LIBCMT ref: 02BB8AE2
                                                                                            • Part of subcall function 02BB8ADD: _Allocate.LIBCPMT ref: 02BB8B39
                                                                                            • Part of subcall function 02BB8ADD: _memmove.LIBCMT ref: 02BB8B90
                                                                                          • _memset.LIBCMT ref: 02BBF949
                                                                                          • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02BBF9B2
                                                                                          • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02BBF9BA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                                          • String ID: Unknown error$invalid string position
                                                                                          • API String ID: 1854462395-1837348584
                                                                                          • Opcode ID: 35383455dfeefe201109a77a664305a13feca52a8cf461ab0a65b2b440cfdb5d
                                                                                          • Instruction ID: 3150f1faabc7196c5b69d1d9207a335879b073cc017e06f1db1c72ef00037701
                                                                                          • Opcode Fuzzy Hash: 35383455dfeefe201109a77a664305a13feca52a8cf461ab0a65b2b440cfdb5d
                                                                                          • Instruction Fuzzy Hash: B151BE706083409FE715DF28C890BBEBBE4EF89344F90496DF492976A1D7B1E588CB52
                                                                                          APIs
                                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                                                            • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                                                            • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                                                            • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                                                          • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                                                          • String ID: BINARY$INTEGER
                                                                                          • API String ID: 317512412-1676293250
                                                                                          • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                          • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                                                          • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                          • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                                                          APIs
                                                                                          • WSASetLastError.WS2_32(00000000), ref: 02BB2BE4
                                                                                          • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02BB2C07
                                                                                            • Part of subcall function 02BB950D: WSAGetLastError.WS2_32(00000000,?,?,02BB2A51), ref: 02BB951B
                                                                                          • WSASetLastError.WS2_32 ref: 02BB2CD3
                                                                                          • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02BB2CE7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$Recvselect
                                                                                          • String ID: 3'
                                                                                          • API String ID: 886190287-280543908
                                                                                          • Opcode ID: 2e5e4cbe580e2dd62a87e99e2684ecf10b00ee5f9c571dc6ede61ef160ec214b
                                                                                          • Instruction ID: 30d94b28997a760f11084dfb79628bf98fcaed400bf0422f73d85a8c913396eb
                                                                                          • Opcode Fuzzy Hash: 2e5e4cbe580e2dd62a87e99e2684ecf10b00ee5f9c571dc6ede61ef160ec214b
                                                                                          • Instruction Fuzzy Hash: F8417CB19057018FDB229F78C9147FBBBE9EF84355F10499EE899C7280EBB0D4418B92
                                                                                          APIs
                                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6093F443
                                                                                            • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6093F45C
                                                                                            • Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
                                                                                            • Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA
                                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
                                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                                          • String ID:
                                                                                          • API String ID: 4038589952-0
                                                                                          • Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                          • Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
                                                                                          • Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                          • Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40
                                                                                          APIs
                                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                          • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                            • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                          • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                                                          • sqlite3_step.SQLITE3 ref: 6096A435
                                                                                          • sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                                                          • String ID:
                                                                                          • API String ID: 247099642-0
                                                                                          • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                          • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                                                          • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                          • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                                                          APIs
                                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                          • sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                          • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                            • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                                          • sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                                                          • String ID:
                                                                                          • API String ID: 326482775-0
                                                                                          • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                          • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                                                          • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                          • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                                                          APIs
                                                                                          • CreateServiceA.ADVAPI32 ref: 00401CFB
                                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 00401EEA
                                                                                          • CloseServiceHandle.ADVAPI32(?), ref: 0040D23C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Create
                                                                                          • String ID:
                                                                                          • API String ID: 2095555506-0
                                                                                          • Opcode ID: 798336170624c8ac89b9a2c31719ae8e1c376ef6816bfeab9d8cee1d71777bcc
                                                                                          • Instruction ID: 94f379f039eced8726fb3cb338ec06236e1c18fcefb958c6377dd5f00325babe
                                                                                          • Opcode Fuzzy Hash: 798336170624c8ac89b9a2c31719ae8e1c376ef6816bfeab9d8cee1d71777bcc
                                                                                          • Instruction Fuzzy Hash: A6D09E31D44114EACF201BD19D48D6E2E79A7443A4F2504BAE501760F0C6799946FA5A
                                                                                          APIs
                                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                          • String ID:
                                                                                          • API String ID: 1477753154-0
                                                                                          • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                          • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                                                          • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                          • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                                                          APIs
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02BC3B06,?,?,?,00000001), ref: 02BC80ED
                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02BC80F6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                          • String ID:
                                                                                          • API String ID: 3192549508-0
                                                                                          • Opcode ID: cceaf5d9df460893334ac4f97d358e9c8178558779ac7956533b6d5d5c508dbe
                                                                                          • Instruction ID: 7577d3f64a282b87dac4aa2b7abc0f60d4939a13d11d246f9784a0a448a1c459
                                                                                          • Opcode Fuzzy Hash: cceaf5d9df460893334ac4f97d358e9c8178558779ac7956533b6d5d5c508dbe
                                                                                          • Instruction Fuzzy Hash: 79B09231485208ABCB202B91E829B983F28FB046D3FC48810F60EC6050AB6255609BD2
                                                                                          APIs
                                                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                          • String ID:
                                                                                          • API String ID: 1465156292-0
                                                                                          • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                          • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                                                          • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                          • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                                                          APIs
                                                                                          • _memset.LIBCMT ref: 02BBE873
                                                                                            • Part of subcall function 02BBE6FA: _memmove.LIBCMT ref: 02BBE7B8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _memmove_memset
                                                                                          • String ID:
                                                                                          • API String ID: 3555123492-0
                                                                                          • Opcode ID: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                          • Instruction ID: ee1ffe034c99e121fb671350ca847c4c9b460074ce6f42694c5366b7c7daa49e
                                                                                          • Opcode Fuzzy Hash: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                          • Instruction Fuzzy Hash: 97F082B190430DAAD700DF99D946B9DFBB8FF44310F20817AD50CA7341E6B07A118B90
                                                                                          APIs
                                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040DF4C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: CtrlDispatcherServiceStart
                                                                                          • String ID:
                                                                                          • API String ID: 3789849863-0
                                                                                          • Opcode ID: 4fe4cdbd69d76611cbe8f8d839fbcf879ed414cccbfa791050e202b1d5f79f32
                                                                                          • Instruction ID: da040a5c410dac6804bc47ba04513fdabb8688a912b3c46f63b6c3d26f8cee3d
                                                                                          • Opcode Fuzzy Hash: 4fe4cdbd69d76611cbe8f8d839fbcf879ed414cccbfa791050e202b1d5f79f32
                                                                                          • Instruction Fuzzy Hash: B7E09A30811919DBDB50AF60DE887DA73B4FB82751F0081F6C84AB6191C7308A9ACF9A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7b3572c4825024628219a14e3466c11b8526f5c245e45a2c5ada6b05d28a57a2
                                                                                          • Instruction ID: 77de89feb31afb9f7e0b899b04aa460afec8cc02b7427acd4b9af8aa9f5f91e1
                                                                                          • Opcode Fuzzy Hash: 7b3572c4825024628219a14e3466c11b8526f5c245e45a2c5ada6b05d28a57a2
                                                                                          • Instruction Fuzzy Hash: A8E0BF7AD554658FCB00CA6DD9949EEBB70AA0472971A4145AC5037385C234AC41C6D1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                          • Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
                                                                                          • Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                          • Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291
                                                                                          APIs
                                                                                          • sqlite3_free.SQLITE3 ref: 609264C9
                                                                                          • sqlite3_free.SQLITE3 ref: 60926526
                                                                                          • sqlite3_free.SQLITE3 ref: 6092652E
                                                                                          • sqlite3_free.SQLITE3 ref: 60926550
                                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                            • Part of subcall function 6090AFF5: sqlite3_free.SQLITE3 ref: 6090B09A
                                                                                          • sqlite3_free.SQLITE3 ref: 60926626
                                                                                          • sqlite3_win32_mbcs_to_utf8.SQLITE3 ref: 6092662E
                                                                                          • sqlite3_free.SQLITE3 ref: 60926638
                                                                                          • sqlite3_snprintf.SQLITE3 ref: 6092666B
                                                                                          • sqlite3_free.SQLITE3 ref: 60926673
                                                                                          • sqlite3_snprintf.SQLITE3 ref: 609266B8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
                                                                                          • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                                          • API String ID: 937752868-2111127023
                                                                                          • Opcode ID: 76700054f020c8d7fe753577c30eef17e659d67ca67044e42639e839992701d7
                                                                                          • Instruction ID: 28f04709130b2e8b140c84fcd32bad5e17fba194e1ccee1aab8ced89c5ccf9cf
                                                                                          • Opcode Fuzzy Hash: 76700054f020c8d7fe753577c30eef17e659d67ca67044e42639e839992701d7
                                                                                          • Instruction Fuzzy Hash: EA712E706183058FE700AF69D88465DBFF6AFA5748F00C82DE8999B314E778C845DF92
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB4608
                                                                                            • Part of subcall function 02BC27C5: _malloc.LIBCMT ref: 02BC27DD
                                                                                          • htons.WS2_32(?), ref: 02BB4669
                                                                                          • htonl.WS2_32(?), ref: 02BB468C
                                                                                          • htonl.WS2_32(00000000), ref: 02BB4693
                                                                                          • htons.WS2_32(00000000), ref: 02BB4747
                                                                                          • _sprintf.LIBCMT ref: 02BB475D
                                                                                            • Part of subcall function 02BB7990: _memmove.LIBCMT ref: 02BB79B0
                                                                                          • htons.WS2_32(?), ref: 02BB46B0
                                                                                            • Part of subcall function 02BB873B: __EH_prolog.LIBCMT ref: 02BB8740
                                                                                            • Part of subcall function 02BB873B: RtlEnterCriticalSection.NTDLL(00000020), ref: 02BB87BB
                                                                                            • Part of subcall function 02BB873B: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02BB87D9
                                                                                            • Part of subcall function 02BB1BA7: __EH_prolog.LIBCMT ref: 02BB1BAC
                                                                                            • Part of subcall function 02BB1BA7: RtlEnterCriticalSection.NTDLL ref: 02BB1BBC
                                                                                            • Part of subcall function 02BB1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BB1BEA
                                                                                            • Part of subcall function 02BB1BA7: RtlEnterCriticalSection.NTDLL ref: 02BB1C13
                                                                                            • Part of subcall function 02BB1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BB1C56
                                                                                            • Part of subcall function 02BBCEF7: __EH_prolog.LIBCMT ref: 02BBCEFC
                                                                                          • htonl.WS2_32(?), ref: 02BB497C
                                                                                          • htonl.WS2_32(00000000), ref: 02BB4983
                                                                                          • htonl.WS2_32(00000000), ref: 02BB49C8
                                                                                          • htonl.WS2_32(00000000), ref: 02BB49CF
                                                                                          • htons.WS2_32(?), ref: 02BB49EF
                                                                                          • htons.WS2_32(?), ref: 02BB49F9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                                          • String ID: H&t
                                                                                          • API String ID: 1645262487-360592235
                                                                                          • Opcode ID: 3ed6bead7b5927f150d096977433c472bd66999e170a8be4f69fca938d1946bd
                                                                                          • Instruction ID: c4098100080b65de79ebebdb9e99fd51588cf654c447aafee0a4c89e7f18850c
                                                                                          • Opcode Fuzzy Hash: 3ed6bead7b5927f150d096977433c472bd66999e170a8be4f69fca938d1946bd
                                                                                          • Instruction Fuzzy Hash: D9022A71C01259EEDF16DBA4C854BFEBBB9BF08304F10459AE505B7281DBB46A84CF61
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02BB1D11
                                                                                          • GetLastError.KERNEL32 ref: 02BB1D23
                                                                                            • Part of subcall function 02BB1712: __EH_prolog.LIBCMT ref: 02BB1717
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02BB1D59
                                                                                          • GetLastError.KERNEL32 ref: 02BB1D6B
                                                                                          • __beginthreadex.LIBCMT ref: 02BB1DB1
                                                                                          • GetLastError.KERNEL32 ref: 02BB1DC6
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BB1DDD
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BB1DEC
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02BB1E14
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BB1E1B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                          • String ID: thread$thread.entry_event$thread.exit_event
                                                                                          • API String ID: 831262434-3017686385
                                                                                          • Opcode ID: 5053162679d0b4910a072022a9c0374701245de62e5681a34fc76f1418a8c89d
                                                                                          • Instruction ID: 5fa24e483c6731e1ddb7beeb5fd4bc1fee8e382955033d48ec230a16c9053dd8
                                                                                          • Opcode Fuzzy Hash: 5053162679d0b4910a072022a9c0374701245de62e5681a34fc76f1418a8c89d
                                                                                          • Instruction Fuzzy Hash: 57315C759003019FD711EF28C858BABBBA5EF84750F5049ADF859CB290EBB09949CBD2
                                                                                          APIs
                                                                                          • RtlDecodePointer.NTDLL(?), ref: 02BC6EF8
                                                                                          • _free.LIBCMT ref: 02BC6F11
                                                                                            • Part of subcall function 02BC1F84: HeapFree.KERNEL32(00000000,00000000,?,02BC4942,00000000,00000104,76F90A60), ref: 02BC1F98
                                                                                            • Part of subcall function 02BC1F84: GetLastError.KERNEL32(00000000,?,02BC4942,00000000,00000104,76F90A60), ref: 02BC1FAA
                                                                                          • _free.LIBCMT ref: 02BC6F24
                                                                                          • _free.LIBCMT ref: 02BC6F42
                                                                                          • _free.LIBCMT ref: 02BC6F54
                                                                                          • _free.LIBCMT ref: 02BC6F65
                                                                                          • _free.LIBCMT ref: 02BC6F70
                                                                                          • _free.LIBCMT ref: 02BC6F94
                                                                                          • RtlEncodePointer.NTDLL(0073A3E0), ref: 02BC6F9B
                                                                                          • _free.LIBCMT ref: 02BC6FB0
                                                                                          • _free.LIBCMT ref: 02BC6FC6
                                                                                          • _free.LIBCMT ref: 02BC6FEE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                          • String ID: xCs
                                                                                          • API String ID: 3064303923-3086736570
                                                                                          • Opcode ID: 737f6530432fe1f3580364001418165856b7b98a1a77b6b29ac7ac8e550961b9
                                                                                          • Instruction ID: e2ab115395eec4a74703f92c99a5ad3383b290a033343eb703f9f6faf5ee2637
                                                                                          • Opcode Fuzzy Hash: 737f6530432fe1f3580364001418165856b7b98a1a77b6b29ac7ac8e550961b9
                                                                                          • Instruction Fuzzy Hash: 1421E236C85211CFDF20AF28F840E4977B9EB453A533949BEE848AB241C7315C64CFA0
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB24E6
                                                                                          • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02BB24FC
                                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BB250E
                                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BB256D
                                                                                          • SetLastError.KERNEL32(00000000,?,76F8DFB0), ref: 02BB257F
                                                                                          • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,76F8DFB0), ref: 02BB2599
                                                                                          • GetLastError.KERNEL32(?,76F8DFB0), ref: 02BB25A2
                                                                                          • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02BB25F0
                                                                                          • InterlockedDecrement.KERNEL32(00000002), ref: 02BB262F
                                                                                          • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02BB268E
                                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BB2699
                                                                                          • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02BB26AD
                                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,76F8DFB0), ref: 02BB26BD
                                                                                          • GetLastError.KERNEL32(?,76F8DFB0), ref: 02BB26C7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                          • String ID:
                                                                                          • API String ID: 1213838671-0
                                                                                          • Opcode ID: 6a48c992d8d6dcc9bde82258f4497177c080e26c01e21342237b2684a80357d1
                                                                                          • Instruction ID: 87b9939300b6be8c9ed7b6710af53dfff6973f721fa63324641d83a6dd9d3248
                                                                                          • Opcode Fuzzy Hash: 6a48c992d8d6dcc9bde82258f4497177c080e26c01e21342237b2684a80357d1
                                                                                          • Instruction Fuzzy Hash: 44616E71D01609EFCB21DFA4C894AEEBBB9FF08350F50496AE916E7240E7709944CFA0
                                                                                          APIs
                                                                                          • RegisterServiceCtrlHandlerA.ADVAPI32(MediaCodecPack,Function_000019C8), ref: 00401A25
                                                                                          • SetServiceStatus.ADVAPI32(0040BE40), ref: 00401A84
                                                                                          • GetLastError.KERNEL32 ref: 00401A86
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00401A93
                                                                                          • GetLastError.KERNEL32 ref: 00401AB4
                                                                                          • SetServiceStatus.ADVAPI32(0040BE40), ref: 00401AE4
                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00001897,00000000,00000000,00000000), ref: 00401AF0
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401AF9
                                                                                          • CloseHandle.KERNEL32 ref: 00401B05
                                                                                          • SetServiceStatus.ADVAPI32(0040BE40), ref: 00401B2E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                          • String ID: MediaCodecPack
                                                                                          • API String ID: 3346042915-199385074
                                                                                          • Opcode ID: cca009b725d80f918f5385075355cc3301aa37e01b24cb08a35ee5e129ff42f2
                                                                                          • Instruction ID: 532dd47a677431e4b3997e11c6aba14a110aa56271c5c3b89ba5cdee744870bf
                                                                                          • Opcode Fuzzy Hash: cca009b725d80f918f5385075355cc3301aa37e01b24cb08a35ee5e129ff42f2
                                                                                          • Instruction Fuzzy Hash: D621B8B1501244ABD3206F16EF48E967FB8EB95B55B15403EE245B23B1CBF90444CBED
                                                                                          APIs
                                                                                            • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                            • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                            • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                            • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                            • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                            • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                            • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                          • sqlite3_malloc.SQLITE3 ref: 60960384
                                                                                          • sqlite3_free.SQLITE3 ref: 609605EA
                                                                                          • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                                                          • sqlite3_free.SQLITE3 ref: 60960618
                                                                                          • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                          • String ID: offsets
                                                                                          • API String ID: 463808202-2642679573
                                                                                          • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                          • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                                                          • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                          • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB4D8B
                                                                                          • RtlEnterCriticalSection.NTDLL(02BE4FD0), ref: 02BB4DB7
                                                                                          • RtlLeaveCriticalSection.NTDLL(02BE4FD0), ref: 02BB4DC3
                                                                                            • Part of subcall function 02BB4BED: __EH_prolog.LIBCMT ref: 02BB4BF2
                                                                                            • Part of subcall function 02BB4BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02BB4CF2
                                                                                          • RtlEnterCriticalSection.NTDLL(02BE4FD0), ref: 02BB4E93
                                                                                          • RtlLeaveCriticalSection.NTDLL(02BE4FD0), ref: 02BB4E99
                                                                                          • RtlEnterCriticalSection.NTDLL(02BE4FD0), ref: 02BB4EA0
                                                                                          • RtlLeaveCriticalSection.NTDLL(02BE4FD0), ref: 02BB4EA6
                                                                                          • RtlEnterCriticalSection.NTDLL(02BE4FD0), ref: 02BB50A7
                                                                                          • RtlLeaveCriticalSection.NTDLL(02BE4FD0), ref: 02BB50AD
                                                                                          • RtlEnterCriticalSection.NTDLL(02BE4FD0), ref: 02BB50B8
                                                                                          • RtlLeaveCriticalSection.NTDLL(02BE4FD0), ref: 02BB50C1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                          • String ID:
                                                                                          • API String ID: 2062355503-0
                                                                                          • Opcode ID: c9a6e7ab4d8a0fac1202b1d5d33c594b35823f37252c51a9378fbc6200e6e7eb
                                                                                          • Instruction ID: 0888143faf296e9fdab4fb41aad2b070dcccbc7031f65d337833596c782a84f2
                                                                                          • Opcode Fuzzy Hash: c9a6e7ab4d8a0fac1202b1d5d33c594b35823f37252c51a9378fbc6200e6e7eb
                                                                                          • Instruction Fuzzy Hash: 4AB15D71D0025DDFEF26DFA0D850BEEBBB5AF04318F144099E40976191DBB45A49CFA2
                                                                                          APIs
                                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                                                          • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                                                          • String ID:
                                                                                          • API String ID: 2903785150-0
                                                                                          • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                          • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                                                          • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                          • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB3428
                                                                                          • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02BB346B
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BB3472
                                                                                          • GetLastError.KERNEL32 ref: 02BB3486
                                                                                          • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02BB34D7
                                                                                          • RtlEnterCriticalSection.NTDLL(00000018), ref: 02BB34ED
                                                                                          • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02BB3518
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                          • String ID: CancelIoEx$KERNEL32
                                                                                          • API String ID: 2902213904-434325024
                                                                                          • Opcode ID: 2fb7e9994c6d25001f49ef0e7ba99cd190705b69413623960b0fee1a301c1993
                                                                                          • Instruction ID: 299139737a527cba0bdb1a4323a35a314b861d796761eaa1bee544d9d384a3e1
                                                                                          • Opcode Fuzzy Hash: 2fb7e9994c6d25001f49ef0e7ba99cd190705b69413623960b0fee1a301c1993
                                                                                          • Instruction Fuzzy Hash: 8D3159B1901205DFDB129F68D8A4BFA7BF9FF49351F0484E9E8059B241DBB09901CBA1
                                                                                          APIs
                                                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
                                                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
                                                                                          • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
                                                                                          • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
                                                                                          • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
                                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
                                                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
                                                                                          • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
                                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                                          • String ID:
                                                                                          • API String ID: 3556715608-0
                                                                                          • Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                          • Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
                                                                                          • Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                          • Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403EF1,?,Microsoft Visual C++ Runtime Library,00012010,?,00408574,?,004085C4,?,?,?,Runtime Error!Program: ), ref: 004060FA
                                                                                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00406112
                                                                                          • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00406123
                                                                                          • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406130
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                          • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                          • API String ID: 2238633743-4044615076
                                                                                          • Opcode ID: 30dd77c3664451088d9a49f7b1ebdf2ed2115b5f614d26e279abac0bd39ca4ff
                                                                                          • Instruction ID: 36fb3fed3a384cff097ea3fb9e63704b9da04faa094e7ece228342700e77c082
                                                                                          • Opcode Fuzzy Hash: 30dd77c3664451088d9a49f7b1ebdf2ed2115b5f614d26e279abac0bd39ca4ff
                                                                                          • Instruction Fuzzy Hash: E5018431700211DBC7109FB59FC0A177BE99A997C0712093FB646FA2A3DA7C88158FAD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                                                          • API String ID: 0-780898
                                                                                          • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                          • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                                                          • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                          • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                                                          • API String ID: 0-2604012851
                                                                                          • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                          • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                                                          • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                          • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                                                          APIs
                                                                                          • LCMapStringW.KERNEL32(00000000,00000100,00408640,00000001,00000000,00000000,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 00406409
                                                                                          • LCMapStringA.KERNEL32(00000000,00000100,0040863C,00000001,00000000,00000000,?,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 00406425
                                                                                          • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00405E87,?,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 0040646E
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 004064A6
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 004064FE
                                                                                          • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 00406514
                                                                                          • LCMapStringW.KERNEL32(00000000,?,00405E87,00000000,00405E87,?,?,00405E87,00200020,00000000,?,00000000), ref: 00406547
                                                                                          • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 004065AF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$ByteCharMultiWide
                                                                                          • String ID:
                                                                                          • API String ID: 352835431-0
                                                                                          • Opcode ID: 9c7cee020c542fb800dbf7d144ed3697215e486a5166d3a559f4f8a108ac6f85
                                                                                          • Instruction ID: d42c4ff00bdcea80f115aa50461d5d245c16a81543514470c81a73783c2cd3a2
                                                                                          • Opcode Fuzzy Hash: 9c7cee020c542fb800dbf7d144ed3697215e486a5166d3a559f4f8a108ac6f85
                                                                                          • Instruction Fuzzy Hash: 4A517B71900209FFCF229F58DD49A9F7BB9FB48750F11413AF912B12A0D7398961DBA8
                                                                                          APIs
                                                                                          • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                                                          • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                                                          • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                                                          • sqlite3_free.SQLITE3 ref: 6095F180
                                                                                            • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                                                            • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                                                          • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                          • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                                                          • String ID: |
                                                                                          • API String ID: 1576672187-2343686810
                                                                                          • Opcode ID: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                                          • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                                                          • Opcode Fuzzy Hash: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                                          • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                                                          APIs
                                                                                          • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                                                            • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                                                          • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                                                          • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                                                          • String ID: $)><$sqlite_master$sqlite_temp_master
                                                                                          • API String ID: 652164897-1572359634
                                                                                          • Opcode ID: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                                          • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                                                          • Opcode Fuzzy Hash: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                                          • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403E3A
                                                                                          • GetStdHandle.KERNEL32(000000F4,00408574,00000000,?,00000000,00000000), ref: 00403F10
                                                                                          • WriteFile.KERNEL32(00000000), ref: 00403F17
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$HandleModuleNameWrite
                                                                                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                          • API String ID: 3784150691-4022980321
                                                                                          • Opcode ID: 04cfe4ace2dd9675a620efbbcb8461293764693c9a36d9750f915388fa73d055
                                                                                          • Instruction ID: 1325ef8c40c3fac29ee6baa2b36e74f90486e8040fe1898f7fb10d69898ee010
                                                                                          • Opcode Fuzzy Hash: 04cfe4ace2dd9675a620efbbcb8461293764693c9a36d9750f915388fa73d055
                                                                                          • Instruction Fuzzy Hash: 3331C172A002186FDF24EA60DE4AFEA776CAB45304F10057FF584F61D1DAB8AE448A5D
                                                                                          APIs
                                                                                          • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                                                          • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                                                          • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                                                          • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                                          • String ID:
                                                                                          • API String ID: 2352520524-0
                                                                                          • Opcode ID: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                                          • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                                                          • Opcode Fuzzy Hash: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                                          • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                                                          APIs
                                                                                            • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                            • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                            • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                          • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                                                            • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                                          • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                                                            • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                            • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                                            • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                          • sqlite3_exec.SQLITE3 ref: 6096A523
                                                                                          • sqlite3_exec.SQLITE3 ref: 6096A554
                                                                                          • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                                                          • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                          • String ID: optimize
                                                                                          • API String ID: 3659050757-3797040228
                                                                                          • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                          • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                                                          • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                          • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                                                          APIs
                                                                                          • sqlite3_column_blob.SQLITE3 ref: 609654FB
                                                                                          • sqlite3_column_bytes.SQLITE3 ref: 60965510
                                                                                          • sqlite3_reset.SQLITE3 ref: 60965556
                                                                                          • sqlite3_reset.SQLITE3 ref: 609655B8
                                                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                          • sqlite3_malloc.SQLITE3 ref: 60965655
                                                                                          • sqlite3_free.SQLITE3 ref: 60965714
                                                                                          • sqlite3_free.SQLITE3 ref: 6096574B
                                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                          • sqlite3_free.SQLITE3 ref: 609657AA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_reset$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leave
                                                                                          • String ID:
                                                                                          • API String ID: 2722129401-0
                                                                                          • Opcode ID: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                          • Instruction ID: e3a8cc565ee031670952cbbbf81914cbe75110044a29491daaf6513bdc913a85
                                                                                          • Opcode Fuzzy Hash: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                          • Instruction Fuzzy Hash: BBD1D270E14219CFEB14CFA9C48469DBBF2BF68304F20856AD899AB346D774E845CF81
                                                                                          APIs
                                                                                          • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                                                            • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                                                          • sqlite3_free.SQLITE3 ref: 609647C5
                                                                                            • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                                                          • sqlite3_free.SQLITE3 ref: 6096476B
                                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                          • sqlite3_free.SQLITE3 ref: 6096477B
                                                                                          • sqlite3_free.SQLITE3 ref: 60964783
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                                                          • String ID:
                                                                                          • API String ID: 571598680-0
                                                                                          • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                          • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                                                          • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                          • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                                                          APIs
                                                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 0040372D
                                                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 00403741
                                                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 0040376D
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037A5
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037C7
                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037E0
                                                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 004037F3
                                                                                          • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403831
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                          • String ID:
                                                                                          • API String ID: 1823725401-0
                                                                                          • Opcode ID: 7f1ee2c931afbeb2bcd72820eb8f065979dd47f7a99393091ec5d7620f58e433
                                                                                          • Instruction ID: 45b108152198534a65e95edcfca0b8ba0a54c8eec5aa0c4c05c1d64ec2385aa0
                                                                                          • Opcode Fuzzy Hash: 7f1ee2c931afbeb2bcd72820eb8f065979dd47f7a99393091ec5d7620f58e433
                                                                                          • Instruction Fuzzy Hash: 2131D2F35082619ED7203F745DC483BBE9CEA4530A715453FF981F3280DA795D4286A9
                                                                                          APIs
                                                                                          • OpenEventA.KERNEL32(00100002,00000000,00000000,D45761CE), ref: 02BC06C0
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BC06D5
                                                                                          • ResetEvent.KERNEL32(00000000,D45761CE), ref: 02BC06DF
                                                                                          • CloseHandle.KERNEL32(00000000,D45761CE), ref: 02BC0714
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,D45761CE), ref: 02BC078A
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BC079F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEventHandle$CreateOpenReset
                                                                                          • String ID:
                                                                                          • API String ID: 1285874450-0
                                                                                          • Opcode ID: 4a00ba2c42df5a9f3768df2ea0cb1e21265f1bfae5ed2ee547ced2616c05b8b1
                                                                                          • Instruction ID: f01d44bb0cef4326cac162a3faa565c0755a8449ad122e7b9625d2f3bcd3eca9
                                                                                          • Opcode Fuzzy Hash: 4a00ba2c42df5a9f3768df2ea0cb1e21265f1bfae5ed2ee547ced2616c05b8b1
                                                                                          • Instruction Fuzzy Hash: 88413070D05358EBDF24EFA5C848B9EB7B8EF05714F604669E418EB280D7309905CF91
                                                                                          APIs
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BB20AC
                                                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02BB20CD
                                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BB20D8
                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 02BB213E
                                                                                          • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02BB217A
                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 02BB2187
                                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BB21A6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                          • String ID:
                                                                                          • API String ID: 1171374749-0
                                                                                          • Opcode ID: 20e275583ccc87a227c7854e31b4e5c4fe1582807a523d672a1fcd56b25a13cd
                                                                                          • Instruction ID: 31989f178e29114d0c2ccb8126cdf75f00a6fc2f1e1c265e44775a903ac73f2b
                                                                                          • Opcode Fuzzy Hash: 20e275583ccc87a227c7854e31b4e5c4fe1582807a523d672a1fcd56b25a13cd
                                                                                          • Instruction Fuzzy Hash: 63413675504705AFC322DF25C884AABBBE9FFC8654F404A5EA89A83250E770E545CFA2
                                                                                          APIs
                                                                                            • Part of subcall function 02BC0EE0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02BC073E,?,?), ref: 02BC0F0F
                                                                                            • Part of subcall function 02BC0EE0: CloseHandle.KERNEL32(00000000,?,?,02BC073E,?,?), ref: 02BC0F24
                                                                                            • Part of subcall function 02BC0EE0: SetEvent.KERNEL32(00000000,02BC073E,?,?), ref: 02BC0F37
                                                                                          • OpenEventA.KERNEL32(00100002,00000000,00000000,D45761CE), ref: 02BC06C0
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BC06D5
                                                                                          • ResetEvent.KERNEL32(00000000,D45761CE), ref: 02BC06DF
                                                                                          • CloseHandle.KERNEL32(00000000,D45761CE), ref: 02BC0714
                                                                                          • __CxxThrowException@8.LIBCMT ref: 02BC0745
                                                                                            • Part of subcall function 02BC31CA: RaiseException.KERNEL32(?,?,02BBEB63,?,?,?,?,?,?,?,02BBEB63,?,02BDECA8,?), ref: 02BC321F
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,D45761CE), ref: 02BC078A
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BC079F
                                                                                            • Part of subcall function 02BC0C20: GetCurrentProcessId.KERNEL32(?), ref: 02BC0C79
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,D45761CE), ref: 02BC07AF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                          • String ID:
                                                                                          • API String ID: 2227236058-0
                                                                                          • Opcode ID: cfb523ede611e1f04189fc072fdc78f6ceed82b1c4af2e8c7f56661097344afd
                                                                                          • Instruction ID: 9d54378aa1f5ccbc990f8ec07c61ffdbf5cd50a896ab798ff84310d126a4f0f3
                                                                                          • Opcode Fuzzy Hash: cfb523ede611e1f04189fc072fdc78f6ceed82b1c4af2e8c7f56661097344afd
                                                                                          • Instruction Fuzzy Hash: 78314071D01319EBDF24EBA4CC44BADB7B9EF04714F2449AEE818EB280E73099058F61
                                                                                          APIs
                                                                                          • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                            • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                                                          • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                                                          • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                                                          • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                          • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                          • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                          • sqlite3_free.SQLITE3 ref: 60963621
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                                                          • String ID:
                                                                                          • API String ID: 4276469440-0
                                                                                          • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                          • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                                                          • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                          • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                                                          APIs
                                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BB2706
                                                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02BB272B
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02BD3173), ref: 02BB2738
                                                                                            • Part of subcall function 02BB1712: __EH_prolog.LIBCMT ref: 02BB1717
                                                                                          • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02BB2778
                                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BB27D9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                          • String ID: timer
                                                                                          • API String ID: 4293676635-1792073242
                                                                                          • Opcode ID: e2e2b47ade1af6e0ebe31830f4517024bc1adc069f12b81a656ee15caead6376
                                                                                          • Instruction ID: c1630a999e2ae06149d727de2d3f27c79037519eadda1d64d9e34979fbe7e2c8
                                                                                          • Opcode Fuzzy Hash: e2e2b47ade1af6e0ebe31830f4517024bc1adc069f12b81a656ee15caead6376
                                                                                          • Instruction Fuzzy Hash: FC31BEB1805705AFD311DF25C884BA6BBE8FF48765F404A6EF85583A80E7B0E814CFA5
                                                                                          APIs
                                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                                                          Strings
                                                                                          • ESCAPE expression must be a single character, xrefs: 6091A293
                                                                                          • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                                                          • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                                          • API String ID: 4080917175-264706735
                                                                                          • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                          • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                                                          • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                          • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                                                          APIs
                                                                                            • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                                                          • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                                                          • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                          • String ID: library routine called out of sequence$out of memory
                                                                                          • API String ID: 2019783549-3029887290
                                                                                          • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                          • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                                                          • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                          • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                                                          APIs
                                                                                          • __init_pointers.LIBCMT ref: 02BC4A04
                                                                                            • Part of subcall function 02BC70C0: RtlEncodePointer.NTDLL(00000000), ref: 02BC70C3
                                                                                            • Part of subcall function 02BC70C0: __initp_misc_winsig.LIBCMT ref: 02BC70DE
                                                                                            • Part of subcall function 02BC70C0: GetModuleHandleW.KERNEL32(kernel32.dll,?,02BDF248,00000008,00000003,02BDEC8C,?,00000001), ref: 02BC7E41
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02BC7E55
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02BC7E68
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02BC7E7B
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02BC7E8E
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02BC7EA1
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02BC7EB4
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02BC7EC7
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02BC7EDA
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02BC7EED
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02BC7F00
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02BC7F13
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02BC7F26
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02BC7F39
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02BC7F4C
                                                                                            • Part of subcall function 02BC70C0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02BC7F5F
                                                                                          • __mtinitlocks.LIBCMT ref: 02BC4A09
                                                                                          • __mtterm.LIBCMT ref: 02BC4A12
                                                                                            • Part of subcall function 02BC4A7A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02BC74F6
                                                                                            • Part of subcall function 02BC4A7A: _free.LIBCMT ref: 02BC74FD
                                                                                            • Part of subcall function 02BC4A7A: RtlDeleteCriticalSection.NTDLL(02BE1978), ref: 02BC751F
                                                                                          • __calloc_crt.LIBCMT ref: 02BC4A37
                                                                                          • __initptd.LIBCMT ref: 02BC4A59
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 02BC4A60
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                          • String ID:
                                                                                          • API String ID: 3567560977-0
                                                                                          • Opcode ID: 80ee9e7a93bc8b43358a08a7d60a9787cdab2ca4ec06acdc5a3ee7bd915a996c
                                                                                          • Instruction ID: af45f6d648a37677f29cf64e4ec3553cdd8c8a49f2df3f51e0c3c6061783b69a
                                                                                          • Opcode Fuzzy Hash: 80ee9e7a93bc8b43358a08a7d60a9787cdab2ca4ec06acdc5a3ee7bd915a996c
                                                                                          • Instruction Fuzzy Hash: C9F0F0325587116EEA347A387C2576A2AEAEF02370F300AEEF474D90D0FF2085016D44
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 02BC24EB
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BC24F2
                                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 02BC24FE
                                                                                          • RtlDecodePointer.NTDLL(00000001), ref: 02BC251B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                          • String ID: RoInitialize$combase.dll
                                                                                          • API String ID: 3489934621-340411864
                                                                                          • Opcode ID: 2d4d0da649dde567729357797788df0c29216574c8eb5f35e958545c878f710f
                                                                                          • Instruction ID: 58712a821c3ca3f6aab708c29ad4e35d80cd65aef9338d440ebe67f264db4c7b
                                                                                          • Opcode Fuzzy Hash: 2d4d0da649dde567729357797788df0c29216574c8eb5f35e958545c878f710f
                                                                                          • Instruction Fuzzy Hash: 2CE0E571ED1201EBEF605BB0FC69B983BB8A740787F9488B4B102DB091EBB450A48F14
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02BC24C0), ref: 02BC25C0
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BC25C7
                                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 02BC25D2
                                                                                          • RtlDecodePointer.NTDLL(02BC24C0), ref: 02BC25ED
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                          • String ID: RoUninitialize$combase.dll
                                                                                          • API String ID: 3489934621-2819208100
                                                                                          • Opcode ID: 6e9da64823cea7fc8a5d7221b382e48edaa82eb647c0fdb170debc0a706c4e30
                                                                                          • Instruction ID: 5a27f7bee2bc6a93400dbc9aa6473efd7d352867481413538f8792693c25e341
                                                                                          • Opcode Fuzzy Hash: 6e9da64823cea7fc8a5d7221b382e48edaa82eb647c0fdb170debc0a706c4e30
                                                                                          • Instruction Fuzzy Hash: DDE0B670DC2201EFEB205B60BC2DB953B79B704796F504C64F505EB196EBB865A48B10
                                                                                          APIs
                                                                                          • TlsGetValue.KERNEL32(FFFFFFFF,D45761CE,?,?,?,?,00000000,02BD40D8,000000FF,02BC11DA), ref: 02BC0F7A
                                                                                          • TlsSetValue.KERNEL32(FFFFFFFF,02BC11DA,?,?,00000000), ref: 02BC0FE7
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02BC1011
                                                                                          • HeapFree.KERNEL32(00000000), ref: 02BC1014
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: HeapValue$FreeProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1812714009-0
                                                                                          • Opcode ID: 94f2bce9511ca49782687a95a429de85ebda8b17ef9bc9492914ccbfaf5c18b9
                                                                                          • Instruction ID: 90c358807282363dbb583bcf935c49f43492e7d606edc79202106f8f77ec0c4d
                                                                                          • Opcode Fuzzy Hash: 94f2bce9511ca49782687a95a429de85ebda8b17ef9bc9492914ccbfaf5c18b9
                                                                                          • Instruction Fuzzy Hash: 9B51A231A04344DFDB20DF29C444B5ABBE4EB457A4F65899DE85DEB281D731EC00CB91
                                                                                          APIs
                                                                                          • _ValidateScopeTableHandlers.LIBCMT ref: 02BD2DB0
                                                                                          • __FindPESection.LIBCMT ref: 02BD2DCA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FindHandlersScopeSectionTableValidate
                                                                                          • String ID:
                                                                                          • API String ID: 876702719-0
                                                                                          • Opcode ID: 679a6602310b13d12bf06afec2bff7c108c943e52114e3ab3e7cbb1a28eccbfe
                                                                                          • Instruction ID: a7ea0d1be73258cf90e93d93568642c9a10dc1bc4d2af5c93f62b5ddfcf6afcf
                                                                                          • Opcode Fuzzy Hash: 679a6602310b13d12bf06afec2bff7c108c943e52114e3ab3e7cbb1a28eccbfe
                                                                                          • Instruction Fuzzy Hash: 61A17E71A006958FCF25CF68D980BA9B7A5FB44358F584AA9DC05AB352F731EC41CB90
                                                                                          APIs
                                                                                          • GetStringTypeW.KERNEL32(00000001,00408640,00000001,00000000,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 004062BD
                                                                                          • GetStringTypeA.KERNEL32(00000000,00000001,0040863C,00000001,?,?,00000000,00000000,00000001), ref: 004062D7
                                                                                          • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 0040630B
                                                                                          • MultiByteToWideChar.KERNEL32(00405E87,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 00406343
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406399
                                                                                          • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004063AB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: StringType$ByteCharMultiWide
                                                                                          • String ID:
                                                                                          • API String ID: 3852931651-0
                                                                                          • Opcode ID: d203232162232c56530dc1c9e7ac7d7ca2f1092592616d16a6b156e600e46040
                                                                                          • Instruction ID: 1973b5c1488275f86b32e201772009c48c68fd6130b56f6c31499d13724d529d
                                                                                          • Opcode Fuzzy Hash: d203232162232c56530dc1c9e7ac7d7ca2f1092592616d16a6b156e600e46040
                                                                                          • Instruction Fuzzy Hash: 97418E72500219EFDF119F94DE86AAF3F78EB04350F11453AFA52F6290C73989608BE8
                                                                                          APIs
                                                                                          • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                                                            • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                                                          • sqlite3_log.SQLITE3 ref: 609498F5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                                                          • String ID: List of tree roots: $d$|
                                                                                          • API String ID: 3709608969-1164703836
                                                                                          • Opcode ID: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                                          • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                                                          • Opcode Fuzzy Hash: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                                          • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                                                          APIs
                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02BB1CB1
                                                                                          • CloseHandle.KERNEL32(?), ref: 02BB1CBA
                                                                                          • InterlockedExchangeAdd.KERNEL32(02BE5264,00000000), ref: 02BB1CC6
                                                                                          • TerminateThread.KERNEL32(?,00000000), ref: 02BB1CD4
                                                                                          • QueueUserAPC.KERNEL32(02BB1E7C,?,00000000), ref: 02BB1CE1
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02BB1CEC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                          • String ID:
                                                                                          • API String ID: 1946104331-0
                                                                                          • Opcode ID: da16752476d06534b72cd970059579b73584498f43adbbe81d19cb3cf4d081ff
                                                                                          • Instruction ID: 5a7146ff66db1696fdebcd54509d1a7f2b2292473601e58d10b7e5efb4828ab5
                                                                                          • Opcode Fuzzy Hash: da16752476d06534b72cd970059579b73584498f43adbbe81d19cb3cf4d081ff
                                                                                          • Instruction Fuzzy Hash: D6F08135951200AF97205B99DC19DAB7BBCEF457217804659F56AC3150EBB06810CBA0
                                                                                          APIs
                                                                                            • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                            • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                            • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                            • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                          • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                                                          • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                                                          • sqlite3_free.SQLITE3 ref: 6096029A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                                                          • String ID: e
                                                                                          • API String ID: 786425071-4024072794
                                                                                          • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                          • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                                                          • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                          • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 00403A3B
                                                                                          • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403A70
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403AD0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                          • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                          • API String ID: 1385375860-4131005785
                                                                                          • Opcode ID: 0f37da7df256ea2bf10cd5595ffbc211f3aae08b662fce8f1d53329a7b1a0cb3
                                                                                          • Instruction ID: 8e0d8efe135bd9bd4ab90b631ae35de0fa5087430b450c3f58eab12f6465c816
                                                                                          • Opcode Fuzzy Hash: 0f37da7df256ea2bf10cd5595ffbc211f3aae08b662fce8f1d53329a7b1a0cb3
                                                                                          • Instruction Fuzzy Hash: BD3102319012886DEB319A745C46B9B7F6C9B02309F2404FBE185F52C3E6389F89CB1D
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_exec
                                                                                          • String ID: sqlite_master$sqlite_temp_master$|
                                                                                          • API String ID: 2141490097-2247242311
                                                                                          • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                          • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                                                          • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                          • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                                                          APIs
                                                                                          • std::exception::exception.LIBCMT ref: 02BC098F
                                                                                            • Part of subcall function 02BC14E3: std::exception::_Copy_str.LIBCMT ref: 02BC14FC
                                                                                            • Part of subcall function 02BBFD60: __CxxThrowException@8.LIBCMT ref: 02BBFDBE
                                                                                          • std::exception::exception.LIBCMT ref: 02BC09EE
                                                                                          Strings
                                                                                          • boost unique_lock owns already the mutex, xrefs: 02BC09DD
                                                                                          • boost unique_lock has no mutex, xrefs: 02BC097E
                                                                                          • $, xrefs: 02BC09F3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                          • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                          • API String ID: 2140441600-46888669
                                                                                          • Opcode ID: 279f43d4357e97271ab41e5d1901c1dccecadcbf94a8fd0b90c6feb0531346b1
                                                                                          • Instruction ID: 2d7180802f4c750883303c68b16f27c770b894c312da210128e0abdb18ffb35b
                                                                                          • Opcode Fuzzy Hash: 279f43d4357e97271ab41e5d1901c1dccecadcbf94a8fd0b90c6feb0531346b1
                                                                                          • Instruction Fuzzy Hash: EB2126B15083809FD721DF28C45479BBBE9AF88B08F504D9DF4A587381D7B99908CF82
                                                                                          APIs
                                                                                          • __getptd_noexit.LIBCMT ref: 02BC36F0
                                                                                            • Part of subcall function 02BC48E2: GetLastError.KERNEL32(76F90A60,76F8F550,02BC4AD0,02BC2043,76F8F550,?,02BB5A0D,00000104,76F90A60,76F8F550,ntdll.dll,?,?,?,02BB5EE8), ref: 02BC48E4
                                                                                            • Part of subcall function 02BC48E2: __calloc_crt.LIBCMT ref: 02BC4905
                                                                                            • Part of subcall function 02BC48E2: __initptd.LIBCMT ref: 02BC4927
                                                                                            • Part of subcall function 02BC48E2: GetCurrentThreadId.KERNEL32 ref: 02BC492E
                                                                                            • Part of subcall function 02BC48E2: SetLastError.KERNEL32(00000000,02BB5A0D,00000104,76F90A60,76F8F550,ntdll.dll,?,?,?,02BB5EE8), ref: 02BC4946
                                                                                          • __calloc_crt.LIBCMT ref: 02BC3713
                                                                                          • __get_sys_err_msg.LIBCMT ref: 02BC3731
                                                                                          • __invoke_watson.LIBCMT ref: 02BC374E
                                                                                          Strings
                                                                                          • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02BC36FB, 02BC3721
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                                          • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                          • API String ID: 109275364-798102604
                                                                                          • Opcode ID: 9f1ba92f45514fc1f20f3ebb92694dd2fc72498dee0f2fd4c92c736662b9a2d9
                                                                                          • Instruction ID: be3a7560e231c37cb1c53b278fb27be99ad932b22519de381cf81b574bf6abdc
                                                                                          • Opcode Fuzzy Hash: 9f1ba92f45514fc1f20f3ebb92694dd2fc72498dee0f2fd4c92c736662b9a2d9
                                                                                          • Instruction Fuzzy Hash: 4DF0E9B6904715B7E721352A6C81E6B72DDDB457E5BB080FFFA44D6201FB62EC004A94
                                                                                          APIs
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BB2350
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BB2360
                                                                                          • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BB2370
                                                                                          • GetLastError.KERNEL32 ref: 02BB237A
                                                                                            • Part of subcall function 02BB1712: __EH_prolog.LIBCMT ref: 02BB1717
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                          • String ID: pqcs
                                                                                          • API String ID: 1619523792-2559862021
                                                                                          • Opcode ID: 420367d1a2c2a95c357a043a0695b08237e277782707d92a5c186dee94c8cbf0
                                                                                          • Instruction ID: 9bc00f362dca0f735d533ffeee32c2e8dada9db986d9edad14027d185f8988dd
                                                                                          • Opcode Fuzzy Hash: 420367d1a2c2a95c357a043a0695b08237e277782707d92a5c186dee94c8cbf0
                                                                                          • Instruction Fuzzy Hash: 7FF03A71A41304AFDB31AFA49C29BFB7BACEF04641B8049A9E906D7540FBB099148B91
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB4035
                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 02BB4042
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02BB4049
                                                                                          • std::exception::exception.LIBCMT ref: 02BB4063
                                                                                            • Part of subcall function 02BB96CE: __EH_prolog.LIBCMT ref: 02BB96D3
                                                                                            • Part of subcall function 02BB96CE: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02BB96E2
                                                                                            • Part of subcall function 02BB96CE: __CxxThrowException@8.LIBCMT ref: 02BB9701
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                          • String ID: bad allocation
                                                                                          • API String ID: 3112922283-2104205924
                                                                                          • Opcode ID: 0688de980466a0124dc1883a9bb6994a91df625157954f4645832c0b246b4ab1
                                                                                          • Instruction ID: 7479e84247d5165cf5b145280fc075343f35bfe9581a7d2ac6815c9e0203a23c
                                                                                          • Opcode Fuzzy Hash: 0688de980466a0124dc1883a9bb6994a91df625157954f4645832c0b246b4ab1
                                                                                          • Instruction Fuzzy Hash: 17F08272D002099BDB11EFE0D914BEF7B7CEF04301F8049C8E915A2142EB794618CF91
                                                                                          APIs
                                                                                            • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                                                          • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                                                          • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                                                          • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                                                          • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                                                            • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                                            • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                                            • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                                            • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                                                          • String ID:
                                                                                          • API String ID: 683514883-0
                                                                                          • Opcode ID: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                                          • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                                                          • Opcode Fuzzy Hash: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                                          • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                                                          APIs
                                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                                                          • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                                                          • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                                                          • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                                                            • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                            • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                            • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                            • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                            • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                                                          • String ID:
                                                                                          • API String ID: 1903298374-0
                                                                                          • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                          • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                                                          • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                          • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                                                          APIs
                                                                                          • GetStartupInfoA.KERNEL32(?), ref: 0040389D
                                                                                          • GetFileType.KERNEL32(00000800), ref: 00403943
                                                                                          • GetStdHandle.KERNEL32(-000000F6), ref: 0040399C
                                                                                          • GetFileType.KERNEL32(00000000), ref: 004039AA
                                                                                          • SetHandleCount.KERNEL32 ref: 004039E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileHandleType$CountInfoStartup
                                                                                          • String ID:
                                                                                          • API String ID: 1710529072-0
                                                                                          • Opcode ID: f9f6c698642d398b554f84be3c90f4064283888af6bbc673017cb63da6670b61
                                                                                          • Instruction ID: 825ec877f99b7629084fcbf2355a8090dcaf6ef966e66130ad5ff06318bbd0a8
                                                                                          • Opcode Fuzzy Hash: f9f6c698642d398b554f84be3c90f4064283888af6bbc673017cb63da6670b61
                                                                                          • Instruction Fuzzy Hash: 125125B15046018FD7208F29C988B667F98BB02736F15873AE492FB3E1D7BC9A05C709
                                                                                          APIs
                                                                                            • Part of subcall function 02BC0A60: CloseHandle.KERNEL32(00000000,D45761CE), ref: 02BC0AB1
                                                                                            • Part of subcall function 02BC0A60: WaitForSingleObject.KERNEL32(?,000000FF,D45761CE,?,?,?,?,D45761CE,02BC0A33,D45761CE), ref: 02BC0AC8
                                                                                          • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02BC0D2E
                                                                                          • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02BC0D4E
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02BC0D87
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02BC0DDB
                                                                                          • SetEvent.KERNEL32(?), ref: 02BC0DE2
                                                                                            • Part of subcall function 02BB418C: CloseHandle.KERNEL32(00000000,?,02BC0D15), ref: 02BB41B0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 4166353394-0
                                                                                          • Opcode ID: c9ca7326ede202ce438c5924fe9c1edfbbc3f8e6ddc4ca955c3008dff3377a79
                                                                                          • Instruction ID: 36ab186d7b7519141f422445a61008c0bc7d91fba7fc3d607f8fe7b06c8a7e36
                                                                                          • Opcode Fuzzy Hash: c9ca7326ede202ce438c5924fe9c1edfbbc3f8e6ddc4ca955c3008dff3377a79
                                                                                          • Instruction Fuzzy Hash: 3641D471600311CFDB25AF18CC80B6B77A4EF45724F240AACEC29EB295D736E851CBA1
                                                                                          APIs
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BB20AC
                                                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02BB20CD
                                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BB20D8
                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 02BB213E
                                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BB21A6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                                          • String ID:
                                                                                          • API String ID: 1611172436-0
                                                                                          • Opcode ID: d21a77731235e3d0d3bc5485f7fb80ec3a34249a2b8b7635d5200c52ad07fdad
                                                                                          • Instruction ID: df0ca1c2048f74d7641d567c42e63b86b329e93a793ffc912ecc00c820126120
                                                                                          • Opcode Fuzzy Hash: d21a77731235e3d0d3bc5485f7fb80ec3a34249a2b8b7635d5200c52ad07fdad
                                                                                          • Instruction Fuzzy Hash: BC316B715047019FC326DF25D884AABB7F9FFC8654F440A5EA89683250E770E546CFA2
                                                                                          APIs
                                                                                            • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                          • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                          • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                          • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                                          • String ID:
                                                                                          • API String ID: 1894464702-0
                                                                                          • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                          • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                                                          • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                          • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BBD101
                                                                                            • Part of subcall function 02BB1A01: TlsGetValue.KERNEL32 ref: 02BB1A0A
                                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BBD180
                                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BBD19C
                                                                                          • InterlockedIncrement.KERNEL32(02BE30F0), ref: 02BBD1C1
                                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BBD1D6
                                                                                            • Part of subcall function 02BB27F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02BB284E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                          • String ID:
                                                                                          • API String ID: 1578506061-0
                                                                                          • Opcode ID: 9ce46cf6d1f7d73f63e58b48151227cf7a27b72a4b25cc1963331a43d3a56b7b
                                                                                          • Instruction ID: f62ffefca900193d141bce202dde2bfeeeac6101380c7b29c30dec4122625685
                                                                                          • Opcode Fuzzy Hash: 9ce46cf6d1f7d73f63e58b48151227cf7a27b72a4b25cc1963331a43d3a56b7b
                                                                                          • Instruction Fuzzy Hash: 413117B19012099FCB21DFA8D5446EABBF8FF08310F14459AD849E7641E775AA14CFA0
                                                                                          APIs
                                                                                            • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                                                          • sqlite3_log.SQLITE3 ref: 609253E2
                                                                                          • sqlite3_log.SQLITE3 ref: 60925406
                                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                                                          • String ID:
                                                                                          • API String ID: 3336957480-0
                                                                                          • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                          • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                                                          • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                          • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                                                          APIs
                                                                                          • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                                                          • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                                                          • sqlite3_data_count.SQLITE3 ref: 60961465
                                                                                          • sqlite3_column_value.SQLITE3 ref: 60961476
                                                                                          • sqlite3_result_value.SQLITE3 ref: 60961482
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                                                          • String ID:
                                                                                          • API String ID: 3091402450-0
                                                                                          • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                          • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                                                          • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                          • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                                                          APIs
                                                                                          • WSASetLastError.WS2_32(00000000), ref: 02BB2A3B
                                                                                          • closesocket.WS2_32 ref: 02BB2A42
                                                                                          • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02BB2A89
                                                                                          • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02BB2A97
                                                                                          • closesocket.WS2_32 ref: 02BB2A9E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1561005644-0
                                                                                          • Opcode ID: e054a81564e98283cc5d64be9a7fe35da9c1ed86222bbb885c031784f72dbf9a
                                                                                          • Instruction ID: cc8e038ba6397f0144232925af36122af4779500a6df60475a35ebc975d9e3cc
                                                                                          • Opcode Fuzzy Hash: e054a81564e98283cc5d64be9a7fe35da9c1ed86222bbb885c031784f72dbf9a
                                                                                          • Instruction Fuzzy Hash: 43210675E00305AFEB32AFB8C8587FE76E9DF45355F1049A9E865C3280EBB08941CB61
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                          • String ID:
                                                                                          • API String ID: 251237202-0
                                                                                          • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                          • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                                                          • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                          • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB1BAC
                                                                                          • RtlEnterCriticalSection.NTDLL ref: 02BB1BBC
                                                                                          • RtlLeaveCriticalSection.NTDLL ref: 02BB1BEA
                                                                                          • RtlEnterCriticalSection.NTDLL ref: 02BB1C13
                                                                                          • RtlLeaveCriticalSection.NTDLL ref: 02BB1C56
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                          • String ID:
                                                                                          • API String ID: 1633115879-0
                                                                                          • Opcode ID: 628689c957bb8981360a70fdc6d8685327b13b229b4f3b4e3a0a150951639630
                                                                                          • Instruction ID: 1f137fe66d7404534459f352154ea49401570b22e0e2aa82e37790163121845c
                                                                                          • Opcode Fuzzy Hash: 628689c957bb8981360a70fdc6d8685327b13b229b4f3b4e3a0a150951639630
                                                                                          • Instruction Fuzzy Hash: E1219A75A002049FDB25CF68C4547AABBB9FF48325F108589E8199B301E7B1E905CBE0
                                                                                          APIs
                                                                                          • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                                                          • String ID:
                                                                                          • API String ID: 4225432645-0
                                                                                          • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                          • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                                                          • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                          • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                                                          APIs
                                                                                          • _malloc.LIBCMT ref: 02BCE8B0
                                                                                            • Part of subcall function 02BC1FBC: __FF_MSGBANNER.LIBCMT ref: 02BC1FD3
                                                                                            • Part of subcall function 02BC1FBC: __NMSG_WRITE.LIBCMT ref: 02BC1FDA
                                                                                            • Part of subcall function 02BC1FBC: RtlAllocateHeap.NTDLL(00730000,00000000,00000001), ref: 02BC1FFF
                                                                                          • _free.LIBCMT ref: 02BCE8C3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateHeap_free_malloc
                                                                                          • String ID:
                                                                                          • API String ID: 1020059152-0
                                                                                          • Opcode ID: 6081be0957e6374682db44f424334c3e0d43380aca24898ba93ab2d6d30d1059
                                                                                          • Instruction ID: 6f2221288a1113d2dc52f3fb37262d3810c9d25fe9661e00521e05c146623143
                                                                                          • Opcode Fuzzy Hash: 6081be0957e6374682db44f424334c3e0d43380aca24898ba93ab2d6d30d1059
                                                                                          • Instruction Fuzzy Hash: B911E732904612EBCF642F74A814B9A3BA6DF00360B3049BDFA499B190DB71C550CB94
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB21DA
                                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BB21ED
                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02BB2224
                                                                                          • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02BB2237
                                                                                          • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02BB2261
                                                                                            • Part of subcall function 02BB2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BB2350
                                                                                            • Part of subcall function 02BB2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BB2360
                                                                                            • Part of subcall function 02BB2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BB2370
                                                                                            • Part of subcall function 02BB2341: GetLastError.KERNEL32 ref: 02BB237A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                          • String ID:
                                                                                          • API String ID: 1856819132-0
                                                                                          • Opcode ID: 007f9ebaf7f6bf341c8f672bbfd76829c903c81646557b69b1ca68c125ac818b
                                                                                          • Instruction ID: 45ab997b54126a23078fa0ea1dc6d4d352671cc7401cb6dbbe3b10d4101d2553
                                                                                          • Opcode Fuzzy Hash: 007f9ebaf7f6bf341c8f672bbfd76829c903c81646557b69b1ca68c125ac818b
                                                                                          • Instruction Fuzzy Hash: 56118C71D01119EBCF22AFA8D8046FEBBBAEF04350F00459AEC61E3260E7B14A51CB91
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB229D
                                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BB22B0
                                                                                          • TlsGetValue.KERNEL32 ref: 02BB22E7
                                                                                          • TlsSetValue.KERNEL32(?), ref: 02BB2300
                                                                                          • TlsSetValue.KERNEL32(?,?,?), ref: 02BB231C
                                                                                            • Part of subcall function 02BB2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BB2350
                                                                                            • Part of subcall function 02BB2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BB2360
                                                                                            • Part of subcall function 02BB2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BB2370
                                                                                            • Part of subcall function 02BB2341: GetLastError.KERNEL32 ref: 02BB237A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                          • String ID:
                                                                                          • API String ID: 1856819132-0
                                                                                          • Opcode ID: bb10d24744e22fc5b38e5351a11e076cc4f1ef964777d764c4fb51a0538f0e33
                                                                                          • Instruction ID: 08c9e1f7349145344e83cb50cfa70485b85e92f13649ad6d6fb76bac464b8ebf
                                                                                          • Opcode Fuzzy Hash: bb10d24744e22fc5b38e5351a11e076cc4f1ef964777d764c4fb51a0538f0e33
                                                                                          • Instruction Fuzzy Hash: 19114972D01119EFCB12AFA5D804AFEBBBAEF44350F0085AAEC10A3211D7714A61DF90
                                                                                          APIs
                                                                                            • Part of subcall function 02BBA169: __EH_prolog.LIBCMT ref: 02BBA16E
                                                                                          • __CxxThrowException@8.LIBCMT ref: 02BBAD33
                                                                                            • Part of subcall function 02BC31CA: RaiseException.KERNEL32(?,?,02BBEB63,?,?,?,?,?,?,?,02BBEB63,?,02BDECA8,?), ref: 02BC321F
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02BDFA1C,?,00000001), ref: 02BBAD49
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BBAD5C
                                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02BDFA1C,?,00000001), ref: 02BBAD6C
                                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BBAD7A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                          • String ID:
                                                                                          • API String ID: 2725315915-0
                                                                                          • Opcode ID: b038b8091feaa005ba211624328e4aa5217d4ce03827e5b0c84d4b4db2192a35
                                                                                          • Instruction ID: a1f1f02466f2a1ca6b30e160061a45d75053c718a8f9122f72e0848d32689dd9
                                                                                          • Opcode Fuzzy Hash: b038b8091feaa005ba211624328e4aa5217d4ce03827e5b0c84d4b4db2192a35
                                                                                          • Instruction Fuzzy Hash: 0A01A4B6E40204AFDB10AFA4DC89FDA77ECEF04395F848454F625D7290EBA0E8548B60
                                                                                          APIs
                                                                                          • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02BB2432
                                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02BB2445
                                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BB2454
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BB2469
                                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BB2470
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                          • String ID:
                                                                                          • API String ID: 747265849-0
                                                                                          • Opcode ID: 41e6d8c632b1b21dc92a25001fa9868bed1528e414f4f5adba23cdd450cb99c6
                                                                                          • Instruction ID: 26ff34a94d2d9c9f343097f9d2a53c4b471feefd06c367542fdb63acf224b96e
                                                                                          • Opcode Fuzzy Hash: 41e6d8c632b1b21dc92a25001fa9868bed1528e414f4f5adba23cdd450cb99c6
                                                                                          • Instruction Fuzzy Hash: B6F03072641604BFD611AAA0ED59FE6772CFF44751FC04411F701D7480EBA5E964CBE4
                                                                                          APIs
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 02BB1ED2
                                                                                          • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02BB1EEA
                                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BB1EF9
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BB1F0E
                                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BB1F15
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                          • String ID:
                                                                                          • API String ID: 830998967-0
                                                                                          • Opcode ID: fe26edde61522d2a6ac3cd97785f84039914f1749c122759113008a07efa0221
                                                                                          • Instruction ID: 9f1f8bc8bccef8db6d4ea9fedf08f8edc96a43d8acc97e77612ccabd8f662d15
                                                                                          • Opcode Fuzzy Hash: fe26edde61522d2a6ac3cd97785f84039914f1749c122759113008a07efa0221
                                                                                          • Instruction Fuzzy Hash: 4CF01772641604BBD711AFA1ED98FD6BB6CFF08796F800416F601D7440E7A1A965CBE0
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_log
                                                                                          • String ID: ($string or blob too big$|
                                                                                          • API String ID: 632333372-2398534278
                                                                                          • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                          • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                                                          • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                          • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _memmove
                                                                                          • String ID: invalid string position$string too long
                                                                                          • API String ID: 4104443479-4289949731
                                                                                          • Opcode ID: 3ebd1f6dd388ee59b81b052ba67cbff19a093cccd4d873481b30a84edddd8272
                                                                                          • Instruction ID: a4d5cd56d7c39c5615a1f03dc87caec64e835708a0c516ea49a14ea9f9689ebb
                                                                                          • Opcode Fuzzy Hash: 3ebd1f6dd388ee59b81b052ba67cbff19a093cccd4d873481b30a84edddd8272
                                                                                          • Instruction Fuzzy Hash: 0A41B6327007009BDB359E6ADC80EB6F7AAEF81754B1009ADE856C7690DFF0E804DB91
                                                                                          APIs
                                                                                          • WSASetLastError.WS2_32(00000000), ref: 02BB30C3
                                                                                          • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02BB3102
                                                                                          • _memcmp.LIBCMT ref: 02BB3141
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressErrorLastString_memcmp
                                                                                          • String ID: 255.255.255.255
                                                                                          • API String ID: 1618111833-2422070025
                                                                                          • Opcode ID: c167be1db4ac439939accc5e1395311ec0fccfab89b1b565fd25a3fccbacda53
                                                                                          • Instruction ID: 34f7cb17e9cd2edadf9916d568772fc71a3f5e3c38833b4a2536c5066c3cb9e2
                                                                                          • Opcode Fuzzy Hash: c167be1db4ac439939accc5e1395311ec0fccfab89b1b565fd25a3fccbacda53
                                                                                          • Instruction Fuzzy Hash: 0131B3B19007059FDF329F64C8907FEB7EAEF45354F1085E9E86597280DBB19981CB90
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: Virtual$Protect$Query
                                                                                          • String ID: @
                                                                                          • API String ID: 3618607426-2766056989
                                                                                          • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                          • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                                                          • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                          • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                                                          APIs
                                                                                          • sqlite3_malloc.SQLITE3 ref: 60928353
                                                                                            • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                          • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                                                          • sqlite3_free.SQLITE3 ref: 609283B6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                                          • String ID: d
                                                                                          • API String ID: 211589378-2564639436
                                                                                          • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                          • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                                                          • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                          • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB8740
                                                                                            • Part of subcall function 02BB1BA7: __EH_prolog.LIBCMT ref: 02BB1BAC
                                                                                            • Part of subcall function 02BB1BA7: RtlEnterCriticalSection.NTDLL ref: 02BB1BBC
                                                                                            • Part of subcall function 02BB1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BB1BEA
                                                                                            • Part of subcall function 02BB1BA7: RtlEnterCriticalSection.NTDLL ref: 02BB1C13
                                                                                            • Part of subcall function 02BB1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BB1C56
                                                                                          • RtlEnterCriticalSection.NTDLL(00000020), ref: 02BB87BB
                                                                                          • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02BB87D9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                          • String ID: H&t
                                                                                          • API String ID: 1633115879-360592235
                                                                                          • Opcode ID: bc09738fbb92a0cb6ed30cdfc3f501ebb85964f3ec6b124318252967f1337f2f
                                                                                          • Instruction ID: 87c25c9078b557dd578284453f48dcbcc46374f3be7a8f2c118b0b0694535538
                                                                                          • Opcode Fuzzy Hash: bc09738fbb92a0cb6ed30cdfc3f501ebb85964f3ec6b124318252967f1337f2f
                                                                                          • Instruction Fuzzy Hash: 3A2159B1A00B019FD320DF6AD480BA7FBF5FF08321F508A6ED44A87A40D774A554CB90
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB1F5B
                                                                                          • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02BB1FC5
                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 02BB1FD2
                                                                                            • Part of subcall function 02BB1712: __EH_prolog.LIBCMT ref: 02BB1717
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                          • String ID: iocp
                                                                                          • API String ID: 998023749-976528080
                                                                                          • Opcode ID: 9b0ddc884ab17c11d8a6d36c6eb74ad12042e61811c084a6bb9064b72fd8b0d7
                                                                                          • Instruction ID: 853e7edf76618ce4934166da17ec1f54777142490326165e36f129f51fefbaf7
                                                                                          • Opcode Fuzzy Hash: 9b0ddc884ab17c11d8a6d36c6eb74ad12042e61811c084a6bb9064b72fd8b0d7
                                                                                          • Instruction Fuzzy Hash: 9A21D3B1801B449FC721DF6AC51459AFBF8FFA4720B108A5FE8A683A50D7B0A604CF91
                                                                                          APIs
                                                                                          • _malloc.LIBCMT ref: 02BC27DD
                                                                                            • Part of subcall function 02BC1FBC: __FF_MSGBANNER.LIBCMT ref: 02BC1FD3
                                                                                            • Part of subcall function 02BC1FBC: __NMSG_WRITE.LIBCMT ref: 02BC1FDA
                                                                                            • Part of subcall function 02BC1FBC: RtlAllocateHeap.NTDLL(00730000,00000000,00000001), ref: 02BC1FFF
                                                                                          • std::exception::exception.LIBCMT ref: 02BC27FB
                                                                                          • __CxxThrowException@8.LIBCMT ref: 02BC2810
                                                                                            • Part of subcall function 02BC31CA: RaiseException.KERNEL32(?,?,02BBEB63,?,?,?,?,?,?,?,02BBEB63,?,02BDECA8,?), ref: 02BC321F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                          • String ID: bad allocation
                                                                                          • API String ID: 3074076210-2104205924
                                                                                          • Opcode ID: 48bcbb7e18da58b87f3cd125e7fda042af265613eb921eb33b558eff6be64f2e
                                                                                          • Instruction ID: d6006a8fb0aa52bfdd573b29614f8fc2e089b39b290e313c176b445d0d5882ff
                                                                                          • Opcode Fuzzy Hash: 48bcbb7e18da58b87f3cd125e7fda042af265613eb921eb33b558eff6be64f2e
                                                                                          • Instruction Fuzzy Hash: 6DE0A03450020AABDB04AB64DD80DEF77ADAB00200F2045EEAC1466590EB70CA40C991
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB37B6
                                                                                          • __localtime64.LIBCMT ref: 02BB37C1
                                                                                            • Part of subcall function 02BC1610: __gmtime64_s.LIBCMT ref: 02BC1623
                                                                                          • std::exception::exception.LIBCMT ref: 02BB37D9
                                                                                            • Part of subcall function 02BC14E3: std::exception::_Copy_str.LIBCMT ref: 02BC14FC
                                                                                            • Part of subcall function 02BB952C: __EH_prolog.LIBCMT ref: 02BB9531
                                                                                            • Part of subcall function 02BB952C: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02BB9540
                                                                                            • Part of subcall function 02BB952C: __CxxThrowException@8.LIBCMT ref: 02BB955F
                                                                                          Strings
                                                                                          • could not convert calendar time to UTC time, xrefs: 02BB37CE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                          • String ID: could not convert calendar time to UTC time
                                                                                          • API String ID: 1963798777-2088861013
                                                                                          • Opcode ID: 741100692600a80951858ffefb3a71f954ad0a0c834233973ee4e7818201510b
                                                                                          • Instruction ID: 1051701a2e73f17026dda158db2d1dae9efa0e839564a684ef23cec998835889
                                                                                          • Opcode Fuzzy Hash: 741100692600a80951858ffefb3a71f954ad0a0c834233973ee4e7818201510b
                                                                                          • Instruction Fuzzy Hash: 4DE06DB2D002099ACF01EFE4D8007FEB7B9EF00300F1085E9D825A2642EB358619CF84
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                                                          • API String ID: 1646373207-2713375476
                                                                                          • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                          • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                                                          • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                          • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(KERNEL32,004028E9), ref: 00402CCF
                                                                                          • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00402CDF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                          • API String ID: 1646373207-3105848591
                                                                                          • Opcode ID: d54598a83eb0baa68b6903309d995a9c08ead6f1cb52c8cdd87b98e358e571e4
                                                                                          • Instruction ID: 2adebd830dd3b14d64e79f2d4f5eff8f6aaaa0a0dfbfbc424d90c26f206a1370
                                                                                          • Opcode Fuzzy Hash: d54598a83eb0baa68b6903309d995a9c08ead6f1cb52c8cdd87b98e358e571e4
                                                                                          • Instruction Fuzzy Hash: 8EC01220388602ABFE902BB14F0EB2A21082F00B82F14407E6589F02C0CEBCC008903D
                                                                                          APIs
                                                                                          • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403BAA), ref: 004047AD
                                                                                          • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403BAA), ref: 004047D1
                                                                                          • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403BAA), ref: 004047EB
                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403BAA), ref: 004048AC
                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403BAA), ref: 004048C3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$FreeHeap
                                                                                          • String ID:
                                                                                          • API String ID: 714016831-0
                                                                                          • Opcode ID: 40c1f36ec91e0fdcd34999e659656618bdbc287b61182469df63e7afeec0b04d
                                                                                          • Instruction ID: c10c021e120759eda6135e36457b27e0c23e5a43da849e4fe0a9db16ba58ca85
                                                                                          • Opcode Fuzzy Hash: 40c1f36ec91e0fdcd34999e659656618bdbc287b61182469df63e7afeec0b04d
                                                                                          • Instruction Fuzzy Hash: 453142B65007029BD3309F24DD40B26B7E0EB88B54F10CA3AEA95B76D1E778A8448F4C
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AdjustPointer_memmove
                                                                                          • String ID:
                                                                                          • API String ID: 1721217611-0
                                                                                          • Opcode ID: e2501509acae25c7ae4b029625df10b91e6371e83bd04a1ed405a20d762e7e6a
                                                                                          • Instruction ID: 8ba3688d5024e9a46a1ff87b3a6433bcffc7c27bdf3d8acc2affaae0279f74b9
                                                                                          • Opcode Fuzzy Hash: e2501509acae25c7ae4b029625df10b91e6371e83bd04a1ed405a20d762e7e6a
                                                                                          • Instruction Fuzzy Hash: A441B575204B479BFB389F25E940B7673E6EF20B64F3440DEE895965D0EB72E484CA10
                                                                                          APIs
                                                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02BB4149), ref: 02BC03CF
                                                                                            • Part of subcall function 02BB3FDC: __EH_prolog.LIBCMT ref: 02BB3FE1
                                                                                            • Part of subcall function 02BB3FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02BB3FF3
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BC03C4
                                                                                          • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02BB4149), ref: 02BC0410
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02BB4149), ref: 02BC04E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$Event$CreateH_prolog
                                                                                          • String ID:
                                                                                          • API String ID: 2825413587-0
                                                                                          • Opcode ID: 0bbf711d0946ee7246f5d961547241aa51e9ea8d832e3c88f5fc1b602a2f860d
                                                                                          • Instruction ID: 01aab70e627b1b68b13a546fdbccc64deb2f42c119093e3e3c66962f56bdf2db
                                                                                          • Opcode Fuzzy Hash: 0bbf711d0946ee7246f5d961547241aa51e9ea8d832e3c88f5fc1b602a2f860d
                                                                                          • Instruction Fuzzy Hash: 2651A071604345CBDB21EF28C88479A77F4EF88328F294AACFC6997291E735D905CB91
                                                                                          APIs
                                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02BCE2EC
                                                                                          • __isleadbyte_l.LIBCMT ref: 02BCE31A
                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,00000000,00000000,?,?,?), ref: 02BCE348
                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,00000000,00000000,?,?,?), ref: 02BCE37E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                          • String ID:
                                                                                          • API String ID: 3058430110-0
                                                                                          • Opcode ID: c51a8cf1303f1f4b372bd6aaa7566ea0011e868bf3ffd3fcf8a2ef1a0b052468
                                                                                          • Instruction ID: 5336cc739e387a63513b6961a0f3a13b7cd8f5a5cab69a11a5f6f19c76ad831a
                                                                                          • Opcode Fuzzy Hash: c51a8cf1303f1f4b372bd6aaa7566ea0011e868bf3ffd3fcf8a2ef1a0b052468
                                                                                          • Instruction Fuzzy Hash: B131D331600246EFDB228F75C844BAE7BBAFF81314F2585ADF8648B190E730E950DB90
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                                                          • String ID:
                                                                                          • API String ID: 1648232842-0
                                                                                          • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                          • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                                                          • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                          • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                                                          APIs
                                                                                          • sqlite3_step.SQLITE3 ref: 609614AB
                                                                                          • sqlite3_reset.SQLITE3 ref: 609614BF
                                                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                          • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                                                          • String ID:
                                                                                          • API String ID: 3429445273-0
                                                                                          • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                          • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                                                          • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                          • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                                                          APIs
                                                                                          • htons.WS2_32(?), ref: 02BB3DA2
                                                                                            • Part of subcall function 02BB3BD3: __EH_prolog.LIBCMT ref: 02BB3BD8
                                                                                            • Part of subcall function 02BB3BD3: std::bad_exception::bad_exception.LIBCMT ref: 02BB3BED
                                                                                          • htonl.WS2_32(00000000), ref: 02BB3DB9
                                                                                          • htonl.WS2_32(00000000), ref: 02BB3DC0
                                                                                          • htons.WS2_32(?), ref: 02BB3DD4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                          • String ID:
                                                                                          • API String ID: 3882411702-0
                                                                                          • Opcode ID: f221e36783050b5fb89dd82afeeeca72e9fddbd5d7c602a03be725a3f3deae70
                                                                                          • Instruction ID: c5cf13aed0eea94a05b9fbf0a50cbe90222a299d80206473d1ed6c65bcd915c3
                                                                                          • Opcode Fuzzy Hash: f221e36783050b5fb89dd82afeeeca72e9fddbd5d7c602a03be725a3f3deae70
                                                                                          • Instruction Fuzzy Hash: E2118235900309EFCF119F64D8859AAB7B9FF08311F008496FC04DF245E6B19A54CBA1
                                                                                          APIs
                                                                                          • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                                                          • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                                                          • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                                                          • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                          • String ID:
                                                                                          • API String ID: 1477753154-0
                                                                                          • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                          • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                                                          • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                          • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                                                          APIs
                                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02BB23D0
                                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BB23DE
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BB2401
                                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BB2408
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                          • String ID:
                                                                                          • API String ID: 4018804020-0
                                                                                          • Opcode ID: 3fb53a7a954e7991a4a08c83d77465fdb9270579b0c9c8fb75c9ae792d12b397
                                                                                          • Instruction ID: 6a722056466df8dc9c329782cbfa3d2c6f23237aab1669088c1e236cd0f156c0
                                                                                          • Opcode Fuzzy Hash: 3fb53a7a954e7991a4a08c83d77465fdb9270579b0c9c8fb75c9ae792d12b397
                                                                                          • Instruction Fuzzy Hash: 9F11CE71601304AFDB259F60D984BFBBBB8FF44749F5044ADEA019B100E7B1E951CBA0
                                                                                          APIs
                                                                                          • WSASetLastError.WS2_32(00000000), ref: 02BB2EEE
                                                                                          • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02BB2EFD
                                                                                          • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02BB2F0C
                                                                                          • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02BB2F36
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$Socketsetsockopt
                                                                                          • String ID:
                                                                                          • API String ID: 2093263913-0
                                                                                          • Opcode ID: 6ac70ba06b22ce758991ee34bde699920aeaf7f6133bdba41c0280e04b9553d0
                                                                                          • Instruction ID: dcaa587047c33596c818241c8ed69664bed07c3f14b4f491398553f42a8e128f
                                                                                          • Opcode Fuzzy Hash: 6ac70ba06b22ce758991ee34bde699920aeaf7f6133bdba41c0280e04b9553d0
                                                                                          • Instruction Fuzzy Hash: 92018872901204BBDB305F65DC98BEB7BA9DF85771F008565F918CB141D7B088008BA0
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                          • String ID:
                                                                                          • API String ID: 3016257755-0
                                                                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                          • Instruction ID: a86e3c559fb95fbe6455bed1f80b70232cbbbcf6ec0ce7baf2cce38c77a3011b
                                                                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                          • Instruction Fuzzy Hash: D4011C7604014EBBCF126E84DC418EE3F77FB1A354F688499FA2899231D336D5B5AB81
                                                                                          APIs
                                                                                          • ___BuildCatchObject.LIBCMT ref: 02BC95F4
                                                                                            • Part of subcall function 02BC9C0B: ___AdjustPointer.LIBCMT ref: 02BC9C54
                                                                                          • _UnwindNestedFrames.LIBCMT ref: 02BC960B
                                                                                          • ___FrameUnwindToState.LIBCMT ref: 02BC961D
                                                                                          • CallCatchBlock.LIBCMT ref: 02BC9641
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                          • String ID:
                                                                                          • API String ID: 2633735394-0
                                                                                          • Opcode ID: 713256ae837dbe65801958c0297b5b5fc49ecbb291bb0655e55bccd4794a1f23
                                                                                          • Instruction ID: b1989be52a445ca2f8642d1668a4ab877d8eb48a4b36f60f3d162944262ce60d
                                                                                          • Opcode Fuzzy Hash: 713256ae837dbe65801958c0297b5b5fc49ecbb291bb0655e55bccd4794a1f23
                                                                                          • Instruction Fuzzy Hash: DD012932000509FBEF12AF95CC44EEA3BBAEF48754F258099FA1862120C732E561DFA4
                                                                                          APIs
                                                                                          • sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                            • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                          • sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
                                                                                          • String ID:
                                                                                          • API String ID: 2673540737-0
                                                                                          • Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                          • Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
                                                                                          • Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                          • Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                                                          • String ID:
                                                                                          • API String ID: 3526213481-0
                                                                                          • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                          • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                                                          • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                          • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                                                          APIs
                                                                                          • sqlite3_prepare.SQLITE3 ref: 60969166
                                                                                          • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                                                            • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                                                          • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                                                            • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                                                          • sqlite3_step.SQLITE3 ref: 60969197
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                                                          • String ID:
                                                                                          • API String ID: 2877408194-0
                                                                                          • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                          • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                                                          • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                          • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                                                          APIs
                                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02BB24A9
                                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BB24B8
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BB24CD
                                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BB24D4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                          • String ID:
                                                                                          • API String ID: 4018804020-0
                                                                                          • Opcode ID: caa7b61ef5c9ab2aee2727187e6bc4f862bb6d4cee87e84fa513d636338da6f7
                                                                                          • Instruction ID: f6036cc4f93a28f050d27f8c2bffd4dce4d8447660b5227a2f396e6bb4aa1c37
                                                                                          • Opcode Fuzzy Hash: caa7b61ef5c9ab2aee2727187e6bc4f862bb6d4cee87e84fa513d636338da6f7
                                                                                          • Instruction Fuzzy Hash: 99F01972541204AFDB00AF69E854FEABBACFF48751F808419FA04C7145D7B1E9608FA0
                                                                                          APIs
                                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                          • String ID:
                                                                                          • API String ID: 1477753154-0
                                                                                          • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                          • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                                                          • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                          • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB2009
                                                                                          • RtlDeleteCriticalSection.NTDLL(?), ref: 02BB2028
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BB2037
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BB204E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                          • String ID:
                                                                                          • API String ID: 2456309408-0
                                                                                          • Opcode ID: e67a829bc8d52c2a7d8db1917c89aa56b986aad47153c0d622f06d8b64edb4a2
                                                                                          • Instruction ID: bc7905da40c984218a0a287365848a3044c04d4acdb14563eb41bfdd4f321c92
                                                                                          • Opcode Fuzzy Hash: e67a829bc8d52c2a7d8db1917c89aa56b986aad47153c0d622f06d8b64edb4a2
                                                                                          • Instruction Fuzzy Hash: E701F4714017048BC736EF54E8187EABBF5FF04309F80499EE84683950E7B0A954CF94
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Event$H_prologSleep
                                                                                          • String ID:
                                                                                          • API String ID: 1765829285-0
                                                                                          • Opcode ID: 71bc883a3f6ef19bda85d27d86244577d4a19edb8595aaf8f36e18abb4c85265
                                                                                          • Instruction ID: ae44c7270f524d9a676c449959516e28a1bd01b265f74ea99a808dad889084d1
                                                                                          • Opcode Fuzzy Hash: 71bc883a3f6ef19bda85d27d86244577d4a19edb8595aaf8f36e18abb4c85265
                                                                                          • Instruction Fuzzy Hash: D2F09A32A41110EFCB10AF94D898BC8BBA4FF09361F8081A9F90ADB281C7309810CBA1
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_log
                                                                                          • String ID: into$out of
                                                                                          • API String ID: 632333372-1114767565
                                                                                          • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                          • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                                                          • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                          • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prolog_memmove
                                                                                          • String ID: &'
                                                                                          • API String ID: 3529519853-655172784
                                                                                          • Opcode ID: d078ddfc5e19b89017b51affc9cf229f3ff28e32b59b4fc34f808ca4ca9f06c3
                                                                                          • Instruction ID: 855b45f781c32d97720274894957192d5e560ff18053366eff4a51339752f75e
                                                                                          • Opcode Fuzzy Hash: d078ddfc5e19b89017b51affc9cf229f3ff28e32b59b4fc34f808ca4ca9f06c3
                                                                                          • Instruction Fuzzy Hash: 22618171D00609DFDF22DFA4C951AFEBBB6EF48310F1081AAD515A7280D7B09A45CF61
                                                                                          APIs
                                                                                            • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                                                          • sqlite3_free.SQLITE3 ref: 609193A3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_freesqlite3_value_text
                                                                                          • String ID: (NULL)$NULL
                                                                                          • API String ID: 2175239460-873412390
                                                                                          • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                          • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                                                          • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                          • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_log
                                                                                          • String ID: -- $d
                                                                                          • API String ID: 632333372-777087308
                                                                                          • Opcode ID: 2197877c990d2cc598be623123ad695ba2ed3a88a0fc98749b4c643aad0a3996
                                                                                          • Instruction ID: d45f625f7ed72e8bd0cbe86fb5af212c953cff4c7e5ffbb26f6c4a79540968e1
                                                                                          • Opcode Fuzzy Hash: 2197877c990d2cc598be623123ad695ba2ed3a88a0fc98749b4c643aad0a3996
                                                                                          • Instruction Fuzzy Hash: FB51F674A043689BDB26CF28C980789BBFABF55304F1481D9E89CAB341C7759E85CF40
                                                                                          APIs
                                                                                          • GetCPInfo.KERNEL32(?,00000000), ref: 00405BB3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: Info
                                                                                          • String ID: $
                                                                                          • API String ID: 1807457897-3032137957
                                                                                          • Opcode ID: d62f257e1640a576e7c9989f97778ac9c58cbb7090796bbb9a31cafd0bd77437
                                                                                          • Instruction ID: d944e0326c6926f7701021ceed1c995ec26cf4905102b61f872e2d2972a5c282
                                                                                          • Opcode Fuzzy Hash: d62f257e1640a576e7c9989f97778ac9c58cbb7090796bbb9a31cafd0bd77437
                                                                                          • Instruction Fuzzy Hash: 824168300186589AFB119724CD89BFB3FA9EB05B00F1400FAD586FB1D2C2394954DFAA
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_log
                                                                                          • String ID: string or blob too big$|
                                                                                          • API String ID: 632333372-330586046
                                                                                          • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                          • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                                                          • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                          • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                                                          APIs
                                                                                            • Part of subcall function 02BB2D39: WSASetLastError.WS2_32(00000000), ref: 02BB2D47
                                                                                            • Part of subcall function 02BB2D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02BB2D5C
                                                                                          • WSASetLastError.WS2_32(00000000), ref: 02BB2E6D
                                                                                          • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02BB2E83
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$Sendselect
                                                                                          • String ID: 3'
                                                                                          • API String ID: 2958345159-280543908
                                                                                          • Opcode ID: 3e9f4fb879fbbed1072ded687d621f60237eb4dfeba70a6df947ae8af223c4e1
                                                                                          • Instruction ID: fdea746db243ce6b25b2329d7d3f25582735c3d11658a21246be1ced08d7f830
                                                                                          • Opcode Fuzzy Hash: 3e9f4fb879fbbed1072ded687d621f60237eb4dfeba70a6df947ae8af223c4e1
                                                                                          • Instruction Fuzzy Hash: 4E31ADB5A002059FDF12DF64C8247FEBBAAEF09394F0045DAEC0497240E7F095518FA0
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_logsqlite3_value_text
                                                                                          • String ID: string or blob too big
                                                                                          • API String ID: 2320820228-2803948771
                                                                                          • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                          • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                                                          • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                          • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                                                          APIs
                                                                                          • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02BB73D7,?,?,00000000), ref: 02BB86D4
                                                                                          • getsockname.WS2_32(?,?,?), ref: 02BB86EA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLastgetsockname
                                                                                          • String ID: &'
                                                                                          • API String ID: 566540725-655172784
                                                                                          • Opcode ID: e01bcaaab23fc35844c50802ef7fa718f0fb86977cb8c895d4b8c424e7ca5024
                                                                                          • Instruction ID: b35cb7a9ba2797db65a58aa6b76f9cfb6d998c47cfe3730081216bf635fafc0b
                                                                                          • Opcode Fuzzy Hash: e01bcaaab23fc35844c50802ef7fa718f0fb86977cb8c895d4b8c424e7ca5024
                                                                                          • Instruction Fuzzy Hash: 6F216276A01208DFDB11DF78D854ADEBBF5FF48324F1085AAE919EB280E770A9458B50
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BBBCB8
                                                                                            • Part of subcall function 02BBC294: std::exception::exception.LIBCMT ref: 02BBC2C3
                                                                                            • Part of subcall function 02BBCA4A: __EH_prolog.LIBCMT ref: 02BBCA4F
                                                                                            • Part of subcall function 02BC27C5: _malloc.LIBCMT ref: 02BC27DD
                                                                                            • Part of subcall function 02BBC2F3: __EH_prolog.LIBCMT ref: 02BBC2F8
                                                                                          Strings
                                                                                          • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02BBBCF5
                                                                                          • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02BBBCEE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prolog$_mallocstd::exception::exception
                                                                                          • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                          • API String ID: 1953324306-1943798000
                                                                                          • Opcode ID: 45563629941f1faa97d4bd8bdfc274f268e8065b7766a6e4d966ed52625861a0
                                                                                          • Instruction ID: ce4cb65a56936b43be75d0be9c2bdd804ee10ceb6caa2fc5f9c51dca573225e9
                                                                                          • Opcode Fuzzy Hash: 45563629941f1faa97d4bd8bdfc274f268e8065b7766a6e4d966ed52625861a0
                                                                                          • Instruction Fuzzy Hash: 03218D71E00248DEDF15EFE4D4546EDBBB5EF14704F0444DDE846AB241DBB09A44CB51
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BBBDAD
                                                                                            • Part of subcall function 02BBC36B: std::exception::exception.LIBCMT ref: 02BBC398
                                                                                            • Part of subcall function 02BBCB81: __EH_prolog.LIBCMT ref: 02BBCB86
                                                                                            • Part of subcall function 02BC27C5: _malloc.LIBCMT ref: 02BC27DD
                                                                                            • Part of subcall function 02BBC3C8: __EH_prolog.LIBCMT ref: 02BBC3CD
                                                                                          Strings
                                                                                          • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02BBBDEA
                                                                                          • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02BBBDE3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prolog$_mallocstd::exception::exception
                                                                                          • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                          • API String ID: 1953324306-412195191
                                                                                          • Opcode ID: ff0875cfd4a25e0f10e232f020a29c5188a59c35dea3f578bb8d43131357afa7
                                                                                          • Instruction ID: e9ed2304ee10f645d4452690f86d74bf2d3a5debac751aa56a88ae49ea2e88c5
                                                                                          • Opcode Fuzzy Hash: ff0875cfd4a25e0f10e232f020a29c5188a59c35dea3f578bb8d43131357afa7
                                                                                          • Instruction Fuzzy Hash: 7C218872E00208DADF15EBE4D854AEEBBB5EF14708F0045DEE946AB290DBB05A44CF91
                                                                                          APIs
                                                                                          • WSASetLastError.WS2_32(00000000), ref: 02BB2AEA
                                                                                          • connect.WS2_32(?,?,?), ref: 02BB2AF5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLastconnect
                                                                                          • String ID: 3'
                                                                                          • API String ID: 374722065-280543908
                                                                                          • Opcode ID: 61d0d23b0681bca1957709eab2fe2aa447676bf256da8a5ae7b9111398567820
                                                                                          • Instruction ID: 6dacb23744b3cdf1c75461e132da1748f28805d1ae1c78c4fa69f9b7e9895b9e
                                                                                          • Opcode Fuzzy Hash: 61d0d23b0681bca1957709eab2fe2aa447676bf256da8a5ae7b9111398567820
                                                                                          • Instruction Fuzzy Hash: 4321A775E00204ABDF21AFB8D8246FEBBBAEF44324F1045D9EC1997280EBF446018F91
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe,00000104,?,00000000,?,?,?,?,00402AAE), ref: 004034E8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileModuleName
                                                                                          • String ID: @5s$C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          • API String ID: 514040917-3103448983
                                                                                          • Opcode ID: fb5c55198afee46675355dbdb42a24e36b7e1d4a873aa9411ac381ea829ed9c3
                                                                                          • Instruction ID: 8a680a265684d73f1cf4cb16a0ea07de32856b7fd9f1941a07a0323ddc07a6b1
                                                                                          • Opcode Fuzzy Hash: fb5c55198afee46675355dbdb42a24e36b7e1d4a873aa9411ac381ea829ed9c3
                                                                                          • Instruction Fuzzy Hash: 44114CB2900119BFDB11EF99DD81CAB7BBCEA05358B10007BF505F7291E674AF448BA8
                                                                                          APIs
                                                                                          • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                                                          • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                                          • String ID:
                                                                                          • API String ID: 3265351223-3916222277
                                                                                          • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                          • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                                                          • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                          • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_stricmp
                                                                                          • String ID: log
                                                                                          • API String ID: 912767213-2403297477
                                                                                          • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                          • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                                                          • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                          • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB396A
                                                                                          • std::runtime_error::runtime_error.LIBCPMT ref: 02BB39C1
                                                                                            • Part of subcall function 02BB1410: std::exception::exception.LIBCMT ref: 02BB1428
                                                                                            • Part of subcall function 02BB9622: __EH_prolog.LIBCMT ref: 02BB9627
                                                                                            • Part of subcall function 02BB9622: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02BB9636
                                                                                            • Part of subcall function 02BB9622: __CxxThrowException@8.LIBCMT ref: 02BB9655
                                                                                          Strings
                                                                                          • Day of month is not valid for year, xrefs: 02BB39AC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                          • String ID: Day of month is not valid for year
                                                                                          • API String ID: 1404951899-1521898139
                                                                                          • Opcode ID: 6a85e58ccde55451e561d6faa55f4699ba394fa989142f7ab345beef07b8453a
                                                                                          • Instruction ID: f464e3c83eb89378569f141bf8b6e04b0363ec9785a534111c1e637d298268b7
                                                                                          • Opcode Fuzzy Hash: 6a85e58ccde55451e561d6faa55f4699ba394fa989142f7ab345beef07b8453a
                                                                                          • Instruction Fuzzy Hash: 4501B536910249AADF05EFA4D401AFEBB79FF14710F00449AFD1593210EB704B55CF95
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_strnicmp
                                                                                          • String ID: SQLITE_
                                                                                          • API String ID: 1961171630-787686576
                                                                                          • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                          • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                                                          • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                          • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                                                          APIs
                                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                                                          • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                                                          Strings
                                                                                          • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                                                          • String ID: Invalid argument to rtreedepth()
                                                                                          • API String ID: 1063208240-2843521569
                                                                                          • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                          • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                                                          • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                          • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                                                          APIs
                                                                                          • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                                                            • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                            • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                            • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                            • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                          • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                                                          • String ID: soft_heap_limit
                                                                                          • API String ID: 1251656441-405162809
                                                                                          • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                          • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                                                          • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                          • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                                                          APIs
                                                                                          • std::exception::exception.LIBCMT ref: 02BBEB1B
                                                                                          • __CxxThrowException@8.LIBCMT ref: 02BBEB30
                                                                                            • Part of subcall function 02BC27C5: _malloc.LIBCMT ref: 02BC27DD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                          • String ID: bad allocation
                                                                                          • API String ID: 4063778783-2104205924
                                                                                          • Opcode ID: 34453d9171589555d40bad4e9590c26c759456d5bccc89a3c9f7aa277842f914
                                                                                          • Instruction ID: 4d62761374c9106869dc4c0872ac38ecb96650c3b95c7378e314ee4c1fdb321d
                                                                                          • Opcode Fuzzy Hash: 34453d9171589555d40bad4e9590c26c759456d5bccc89a3c9f7aa277842f914
                                                                                          • Instruction Fuzzy Hash: 84F0A770A003096BDF19AAB89895DFF73ECDF05614B5005EAE911E3281FFB1EA40C951
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB3C1B
                                                                                          • std::bad_exception::bad_exception.LIBCMT ref: 02BB3C30
                                                                                            • Part of subcall function 02BC14C7: std::exception::exception.LIBCMT ref: 02BC14D1
                                                                                            • Part of subcall function 02BB965B: __EH_prolog.LIBCMT ref: 02BB9660
                                                                                            • Part of subcall function 02BB965B: __CxxThrowException@8.LIBCMT ref: 02BB9689
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                          • String ID: bad cast
                                                                                          • API String ID: 1300498068-3145022300
                                                                                          • Opcode ID: 63a1cd585c595cd43955201d663f5c25d61d10736011cbee4cc9ec21e1e8a24c
                                                                                          • Instruction ID: 061ab18df8243cf1ea5ffb9c5400f5c7b12abdd070ca0b0ee7e09854e6950c84
                                                                                          • Opcode Fuzzy Hash: 63a1cd585c595cd43955201d663f5c25d61d10736011cbee4cc9ec21e1e8a24c
                                                                                          • Instruction Fuzzy Hash: 56F0A032900508CBC70ADFA8D441AEAB7B5EF52715F1001EEED1A5B251DBB29A46CE91
                                                                                          APIs
                                                                                          • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                                                          • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: sqlite3_log
                                                                                          • String ID: NULL
                                                                                          • API String ID: 632333372-324932091
                                                                                          • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                          • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                                                          • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                          • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB3886
                                                                                          • std::runtime_error::runtime_error.LIBCPMT ref: 02BB38A5
                                                                                            • Part of subcall function 02BB1410: std::exception::exception.LIBCMT ref: 02BB1428
                                                                                            • Part of subcall function 02BB7990: _memmove.LIBCMT ref: 02BB79B0
                                                                                          Strings
                                                                                          • Day of month value is out of range 1..31, xrefs: 02BB3894
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                          • String ID: Day of month value is out of range 1..31
                                                                                          • API String ID: 3258419250-1361117730
                                                                                          • Opcode ID: feb9c4b870f02f3b43c6ad00fdfbf30a033302052ed14dbc5a0251e6e2b1f12a
                                                                                          • Instruction ID: 0f67d7cb1199680f762a1a8de69fb40fd732647dec48d4851d63a3bec21571c6
                                                                                          • Opcode Fuzzy Hash: feb9c4b870f02f3b43c6ad00fdfbf30a033302052ed14dbc5a0251e6e2b1f12a
                                                                                          • Instruction Fuzzy Hash: 2FE0D873F4011467EB15AB98C8117EDBBB9DF08710F0408DAE81573280EAF119448FD1
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB38D2
                                                                                          • std::runtime_error::runtime_error.LIBCPMT ref: 02BB38F1
                                                                                            • Part of subcall function 02BB1410: std::exception::exception.LIBCMT ref: 02BB1428
                                                                                            • Part of subcall function 02BB7990: _memmove.LIBCMT ref: 02BB79B0
                                                                                          Strings
                                                                                          • Year is out of valid range: 1400..10000, xrefs: 02BB38E0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                          • String ID: Year is out of valid range: 1400..10000
                                                                                          • API String ID: 3258419250-2344417016
                                                                                          • Opcode ID: f668a6d8f9a5b993f57b106ffc8e4f1a1f50f5410a3db1597f241e96ed031682
                                                                                          • Instruction ID: 6b668a28232e1ba0e000549252fa735a19af99e9fd68a9999e1b21f086c42168
                                                                                          • Opcode Fuzzy Hash: f668a6d8f9a5b993f57b106ffc8e4f1a1f50f5410a3db1597f241e96ed031682
                                                                                          • Instruction Fuzzy Hash: 87E09232E501146BEB15AB98C9117EDBBB9DF08710F0004DAE81563280EAB119448B95
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB391E
                                                                                          • std::runtime_error::runtime_error.LIBCPMT ref: 02BB393D
                                                                                            • Part of subcall function 02BB1410: std::exception::exception.LIBCMT ref: 02BB1428
                                                                                            • Part of subcall function 02BB7990: _memmove.LIBCMT ref: 02BB79B0
                                                                                          Strings
                                                                                          • Month number is out of range 1..12, xrefs: 02BB392C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                          • String ID: Month number is out of range 1..12
                                                                                          • API String ID: 3258419250-4198407886
                                                                                          • Opcode ID: 222f47e41c2f300022fd1de6ada6838c23b51eb30809363f7f1f714661239da0
                                                                                          • Instruction ID: 7177b4ce95e923258f22989f80bf0c2453ffbe08323b95dd3e279d72947f1794
                                                                                          • Opcode Fuzzy Hash: 222f47e41c2f300022fd1de6ada6838c23b51eb30809363f7f1f714661239da0
                                                                                          • Instruction Fuzzy Hash: 90E0D833F40114A7E725AB98C8117FDBBB9DF08710F0004DAE81163280EEF119448FD1
                                                                                          APIs
                                                                                          • TlsAlloc.KERNEL32 ref: 02BB19CC
                                                                                          • GetLastError.KERNEL32 ref: 02BB19D9
                                                                                            • Part of subcall function 02BB1712: __EH_prolog.LIBCMT ref: 02BB1717
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocErrorH_prologLast
                                                                                          • String ID: tss
                                                                                          • API String ID: 249634027-1638339373
                                                                                          • Opcode ID: 9a9f3c16e8dea155f34426cd5b56384c5721ebfea8b22fcdc6cf952c09aef075
                                                                                          • Instruction ID: c5299e168866dedfc08bbd323fc2acd0763360c33324157b1fc8b3175d51fad6
                                                                                          • Opcode Fuzzy Hash: 9a9f3c16e8dea155f34426cd5b56384c5721ebfea8b22fcdc6cf952c09aef075
                                                                                          • Instruction Fuzzy Hash: B7E02632C012104B83103B7CA8280EEBB949F00270F408BAAECA9C32C0FA7048108BC2
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 02BB3BD8
                                                                                          • std::bad_exception::bad_exception.LIBCMT ref: 02BB3BED
                                                                                            • Part of subcall function 02BC14C7: std::exception::exception.LIBCMT ref: 02BC14D1
                                                                                            • Part of subcall function 02BB965B: __EH_prolog.LIBCMT ref: 02BB9660
                                                                                            • Part of subcall function 02BB965B: __CxxThrowException@8.LIBCMT ref: 02BB9689
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2612481213.0000000002BB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2bb1000_mediacodecpack.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                          • String ID: bad cast
                                                                                          • API String ID: 1300498068-3145022300
                                                                                          • Opcode ID: 19bb30c5905b04f05dcdbed0121b7b683b71121a40980b8d6c73211d37ddfa0b
                                                                                          • Instruction ID: 9004b142061d844008319342da00d85c6d0dbc6044b53fce1cb7fc74f3f11e18
                                                                                          • Opcode Fuzzy Hash: 19bb30c5905b04f05dcdbed0121b7b683b71121a40980b8d6c73211d37ddfa0b
                                                                                          • Instruction Fuzzy Hash: 40E09231900148DBC71AEFA8C142BFCBBB1EF11304F0080ECED1A23290EB320A05CE82
                                                                                          APIs
                                                                                          • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 00404608
                                                                                          • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 0040463C
                                                                                          • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 00404656
                                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 0040466D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2610209078.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2610209078.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocHeap$FreeVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 3499195154-0
                                                                                          • Opcode ID: 89e6c41d760d97d5fcc59a371cb6f4e80e60aa6d464a71aa99f6417c7b537c35
                                                                                          • Instruction ID: 2adbec297c34dc3d5fc58a6281b1bdaad71761cfda4098cfa9d0d345734132fa
                                                                                          • Opcode Fuzzy Hash: 89e6c41d760d97d5fcc59a371cb6f4e80e60aa6d464a71aa99f6417c7b537c35
                                                                                          • Instruction Fuzzy Hash: 2D114C70250701DFD7308F28EE85E127BB5F7867207108B3DEAA1E25E0D7359845CB08
                                                                                          APIs
                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2614247619.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                          • Associated: 00000003.00000002.2614228439.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614414130.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614449070.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614529011.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614591716.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                          • Associated: 00000003.00000002.2614795361.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                          • String ID:
                                                                                          • API String ID: 682475483-0
                                                                                          • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                          • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                                                          • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                          • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2